Vulnerabilities > CVE-2019-19866 - Authorization Bypass Through User-Controlled Key vulnerability in Atos Unify Openscape UC web Client 10.0/9.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

atos

CWE-639

NVD

Published: 2020-02-21

Updated: 2022-04-18

Summary

Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs.

Vulnerable Configurations

Part	Description	Count
Application	Atos Atos Unify Openscape UC WEB Client 10.0 Atos Unify Openscape UC WEB Client 9.0	2

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://networks.unify.com/security/advisories/OBSO-2002-01.pdf
https://unify.com/en/support/security-advisories