Vulnerabilities > CVE-2020-14987 - Missing Authorization vulnerability in Bloomreach Experience Manager

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

bloomreach

CWE-862

NVD

Published: 2021-03-11

Updated: 2024-11-21

Summary

An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows remote attackers to execute arbitrary code because there is a mishandling of the capability for administrators to write and run Groovy scripts within the updater editor. An attacker must use an AST transforming annotation such as @Grab.

Vulnerable Configurations

Part	Description	Count
Application	Bloomreach Bloomreach Experience Manager 14.1.0 Bloomreach Experience Manager 14.1.1 Bloomreach Experience Manager 14.2.1 Bloomreach Experience Manager 14.2.2	4

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://tvrbk.github.io/cve/2021/03/09/brXM.html
https://tvrbk.github.io/cve/2021/03/09/brXM.html