PT-2017-12173 · Unknown · Hashtopussy

Ghost

Published

2017-07-27

Updated

2019-10-03

CVE-2017-11681

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hashtopussy version 0.4.0

Description The issue allows remote authenticated users to execute actions that should only be available for administrative roles. This can be demonstrated by sending an action=createVoucher request to the "agents.php" endpoint.

Recommendations For version 0.4.0, consider restricting access to the "agents.php" endpoint until a patch is available, and limit the execution of actions that should only be available for administrative roles.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2017-11681

Affected Products

Hashtopussy

PT-2017-12173 · Unknown · Hashtopussy

CVE-2017-11681

Weakness Enumeration

Related Identifiers

Affected Products

References · 3