PT-2021-2273 · Unknown · Mbconnect24

Published

2021-03-02

Updated

2021-03-09

CVE-2020-12528

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: mymbCONNECT24 and mbCONNECT24 versions through V2.6.2

Description: The issue is related to improper use of access validation, allowing a logged-in user to kill web2go sessions in an account they should not have access to. This is due to insecure privilege management, which can be exploited by a remote attacker to terminate web2go sessions in unauthorized accounts.

Recommendations: For versions through V2.6.2, consider restricting access to the web2go session management functionality until a patch is available. As a temporary workaround, limit the privileges of logged-in users to prevent them from accessing accounts they should not have access to.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

BDU:2021-01268

CVE-2020-12528

Affected Products

Mbconnect24

PT-2021-2273 · Unknown · Mbconnect24

CVE-2020-12528

Weakness Enumeration

Related Identifiers

Affected Products

References · 6