CVE-2020-26177

Name of the Vulnerable Software and Affected Versions tangro Business Workflow versions prior to 1.18.1

Description The issue arises from the fact that certain restrictions on editing a user's profile are only applied on the client-side, allowing manipulation of greyed-out values in requests to the /api/profile endpoint. This means that server-side, these manipulations are not prohibited, potentially leading to unauthorized changes.

Recommendations For versions prior to 1.18.1, update to version 1.18.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /api/profile endpoint to minimize the risk of exploitation.