CVE-2020-26176
CVE-2020-26176
An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document/<DocumentID>/attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to gather valid attachment IDs for workitems that do not belong to them.
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N
Produtos afetados
n/a · n/aQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →