Vulnerabilities > CVE-2020-26177 - Incorrect Resource Transfer Between Spheres vulnerability in Tangro Business Workflow 1.17.5

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

tangro

CWE-669

NVD

Published: 2020-12-18

Updated: 2021-07-21

Summary

In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibited server-side.

Vulnerable Configurations

Part	Description	Count
Application	Tangro Tangro Business Workflow 1.17.5	1

Common Weakness Enumeration (CWE)

CWE-669 - Incorrect Resource Transfer Between Spheres

References

https://www.tangro.de/
https://blog.to.com/advisory-tangro-bwf-1-17-5-multiple-vulnerabilities/