PT-2019-13002 · Redwoodhq · Redwoodhq
Published
2019-06-19
·
Updated
2020-08-24
·
CVE-2019-12890
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
RedwoodHQ version 2.5.5
Description
The issue allows remote attackers to create admin users without requiring any authentication for database operations. This can be achieved via a
con.automationframework users insert one call.Recommendations
For RedwoodHQ version 2.5.5, consider implementing proper authentication mechanisms for database operations to prevent unauthorized access. As a temporary workaround, restrict access to the
con.automationframework module to minimize the risk of exploitation.Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Redwoodhq