8.6.7

CVSS 8.6 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

1crm

CWE-639

NVD

Published: 2020-09-18

Updated: 2021-07-21

Summary

An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL.

Vulnerable Configurations

Part	Description	Count
Application	1Crm 1Crm 1Crm 8.5.7 1Crm 1Crm 8.6.7	2

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

http://seclists.org/fulldisclosure/2020/Sep/31
https://aramido.de/blog/sicherheitshinweise/sicherheitswarnung-1crm-schutzt-daten-unzureichend-cve-2020-15958
https://1crm.com/documentation/
http://packetstormsecurity.com/files/159193/1CRM-8.6.7-Insecure-Direct-Object-Reference.html