Vulnerabilities > CVE-2020-26171 - Authorization Bypass Through User-Controlled Key vulnerability in Tangro Business Workflow 1.17.5

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

tangro

CWE-639

NVD

Published: 2020-12-18

Updated: 2021-07-21

Summary

In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.

Vulnerable Configurations

Part	Description	Count
Application	Tangro Tangro Business Workflow 1.17.5	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://www.tangro.de/
https://blog.to.com/advisory-tangro-bwf-1-17-5-multiple-vulnerabilities/