PT-2019-14002 · Humanica · Humatrix

Published

2019-08-18

Updated

2021-07-21

CVE-2019-15129

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Humanica Humatrix versions 1.0.0.203 through 1.0.0.681

Description The issue allows an unauthenticated attacker to access all candidates' files in the photo folder on the website. This can be achieved by specifying a user id parameter and file name in a URI, such as "recruitment online/upload/user/[user id]/photo/[file name]".

Recommendations For versions 1.0.0.203 through 1.0.0.681, restrict access to the "recruitment online/upload/user/[user id]/photo/[file name]" endpoint to prevent unauthorized file access. Avoid using the user id parameter in this endpoint until the issue is resolved.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2019-15129

Affected Products

Humatrix

PT-2019-14002 · Humanica · Humatrix

CVE-2019-15129

Weakness Enumeration

Related Identifiers

Affected Products

References · 3