Vulnerabilities > CVE-2020-26176 - Insecure Storage of Sensitive Information vulnerability in Tangro Business Workflow

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
tangro
CWE-922

Summary

An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document/<DocumentID>/attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to gather valid attachment IDs for workitems that do not belong to them.

Vulnerable Configurations

Part Description Count
Application
Tangro
1

Common Weakness Enumeration (CWE)