CVE-2020-21991

Name of the Vulnerable Software and Affected Versions: AVE DOMINAplus versions prior to 1.11

Description: The issue arises from a missing control check when directly calling the autologin GET parameter in the "changeparams.php" script. By setting the autologin value to 1, an unauthenticated attacker can bypass authentication, permanently disable the authentication security control, and access the management interface with admin privileges without providing credentials.

Recommendations: For AVE DOMINAplus versions prior to 1.11, as a temporary workaround, consider restricting access to the "changeparams.php" script to minimize the risk of exploitation. Avoid using the autologin parameter in the affected script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.