Vulnerabilities > CVE-2021-33031 - Missing Authorization vulnerability in Labcup

CVSS 3.5 - LOW

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

labcup

CWE-862

NVD

Published: 2021-06-10

Updated: 2021-06-22

Summary

In LabCup before <v2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03.

Vulnerable Configurations

Part	Description	Count
Application	Labcup Labcup Labcup *	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md
https://labcup.net/privacy-data-security/