PT-2022-18720 · Ofcms · Ofcms
Lyf123Lyf
·
Published
2022-04-10
·
Updated
2022-04-15
·
CVE-2022-27960
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
OFCMS version 1.1.4
Description
The issue is related to insecure permissions configured in the
user id parameter at SysUserController.java, allowing attackers to access and arbitrarily modify users' personal information.Recommendations
For OFCMS version 1.1.4, consider restricting access to the
SysUserController.java to minimize the risk of exploitation. Avoid using the user id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ofcms