Authorization Bypass in UPV PEIX

Posted date 31/05/2023

Importance

3 - Medium

Affected Resources

UPV PEIX

Description

INCIBE has coordinated the publication of a vulnerability in UPV PEIX, an internship management system at the School of Computer Engineering of the Universitat Politècnica de València (UPV), which has been discovered by Pablo Alcarria Lozano and Germán Planells García.

The following code has been assigned to this vulnerability:

CVE-2023-2544:
- CVSS v3.1 base score: 5,3.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
- Vulnerability type: CWE-639: authorization bypass through user-controlled key.

Solution

This vulnerability has been fixed in August 2022.

Detail

CVE-2023-2544: authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.

References list

Web-based internship management system

Etiquetas