An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket Core in LogonBox Nervepoint Access Manager 2013 through 2017 allows a…
mitre·CWE-639·Published 2019-03-17
An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket Core in LogonBox Nervepoint Access Manager 2013 through 2017 allows a remote attacker to enumerate internal Active Directory usernames and group names, and alter back-end server jobs (backup and synchronization jobs), which could allow for the possibility of a Denial of Service attack via a modified jobId parameter in a runJob.html GET request.
An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket Core in LogonBox Nervepoint Access Manager 2013 through 2017 allows a remote attacker to enumerate internal Active Directory usernames and group names, and alter back-end server jobs (backup and synchronization jobs), which could allow for the possibility of a Denial of Service attack via a modified jobId parameter in a runJob.html GET request.
Un IDOR (referencia directa insegura a objeto) en Wicket Core en LogonBox Nervepoint Access Manager, desde el 2013 hasta el 2017, permite que un atacante remoto enumere nombres y grupos de usuario internos de Active Directory, así como alterar las tareas del servidor back-end (tareas de copia de seguridad y sincronización). Esto podría permitir un ataque de denegación de servicio mediante un parámetro jobId modificado en una petición GET en runJob.html.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 7.5 | 10.0 | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| 3.0 | Primary | NVD | 9.4 | 3.9 | 5.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |