Vulnerabilities > Tangro

DATE CVE VULNERABILITY TITLE RISK
2020-12-18 CVE-2020-26178 Authorization Bypass Through User-Controlled Key vulnerability in Tangro Business Workflow 1.17.5
In tangro Business Workflow before 1.18.1, knowing an attachment ID, it is possible to download workitem attachments without being authenticated.
network
low complexity
tangro CWE-639
5.3
2020-12-18 CVE-2020-26177 Incorrect Resource Transfer Between Spheres vulnerability in Tangro Business Workflow 1.17.5
In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users.
network
low complexity
tangro CWE-669
4.3
2020-12-18 CVE-2020-26176 Insecure Storage of Sensitive Information vulnerability in Tangro Business Workflow 1.17.5
An issue was discovered in tangro Business Workflow before 1.18.1.
network
low complexity
tangro CWE-922
4.3
2020-12-18 CVE-2020-26175 Authorization Bypass Through User-Controlled Key vulnerability in Tangro Business Workflow 1.17.5
In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users.
network
low complexity
tangro CWE-639
6.5
2020-12-18 CVE-2020-26174 Unrestricted Upload of File with Dangerous Type vulnerability in Tangro Business Workflow 1.17.5
tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list.
network
low complexity
tangro CWE-434
8.8
2020-12-18 CVE-2020-26173 Authorization Bypass Through User-Controlled Key vulnerability in Tangro Business Workflow 1.17.5
An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token.
network
low complexity
tangro CWE-639
4.3
2020-12-18 CVE-2020-26172 Authentication Bypass by Capture-replay vulnerability in Tangro Business Workflow 1.17.5
Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active.
network
low complexity
tangro CWE-294
6.5
2020-12-18 CVE-2020-26171 Authorization Bypass Through User-Controlled Key vulnerability in Tangro Business Workflow 1.17.5
In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated.
network
low complexity
tangro CWE-639
4.3