Vulnerabilities > CVE-2020-12687 - Exposure of Resource to Wrong Sphere vulnerability in Serpico Project Serpico 1.3.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://github.com/SerpicoProject/Serpico/commit/0b8600414976a5ad733604c7b1428071baf239c2
- https://github.com/SerpicoProject/Serpico/releases/tag/1.3.3
- https://github.com/SerpicoProject/Serpico/commit/0b8600414976a5ad733604c7b1428071baf239c2
- https://github.com/SerpicoProject/Serpico/releases/tag/1.3.3