Vulnerabilities > CVE-2018-19515 - Incorrect Authorization vulnerability in ENS Webgalamb 6.0/7.0

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

ens

CWE-863

critical

NVD

Published: 2019-03-21

Updated: 2019-10-03

Summary

In Webgalamb through 7.0, system/ajax.php functionality is supposed to be available only to the administrator. However, by using one of the bgsend, atment_sddd1xGz, or xls_bgimport query parameters, most of these methods become available to unauthenticated users.

Vulnerable Configurations

Part	Description	Count
Application	Ens ENS Webgalamb 6.0 ENS Webgalamb 7.0	2

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Packetstorm

data source	https://packetstormsecurity.com/files/download/151017/webgalamb-disclosexsssqlxsrf.txt
id	PACKETSTORM:151017
last seen	2019-01-08
published	2019-01-07
reporter	Daniel Jones
source	https://packetstormsecurity.com/files/151017/Webgalamb-Information-Disclosure-XSS-CSRF-SQL-Injection.html
title	Webgalamb Information Disclosure / XSS / CSRF / SQL Injection

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Packetstorm

References