PT-2019-13002 · Redwoodhq · Redwoodhq
Publicado
2019-06-19
·
Atualizado
2020-08-24
·
CVE-2019-12890
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
RedwoodHQ version 2.5.5
Description
The issue allows remote attackers to create admin users without requiring any authentication for database operations. This can be achieved via a
con.automationframework users insert one call.Recommendations
For RedwoodHQ version 2.5.5, consider implementing proper authentication mechanisms for database operations to prevent unauthorized access. As a temporary workaround, restrict access to the
con.automationframework module to minimize the risk of exploitation.Exploit
Correção
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Redwoodhq