CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45178
https://notcve.org/view.php?id=CVE-2022-45178
14 Apr 2023 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint, the /settings/guest-settings endpoint, the /settings/samlusers-settings endpoint, and the /settings/users-settings endpoint. A malicious user (already logged in as a SAML User) is able to achieve privilege escalation from a low-privilege user (FGM user) to an administrative user (GGU user), including the administrator, or create new users eve... • https://www.gruppotim.it/it/footer/red-team.html •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45180
https://notcve.org/view.php?id=CVE-2022-45180
14 Apr 2023 — An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdesk_{DOMAIN]/export endpoint. A malicious user, authenticated to the product without any specific privilege, can use the API for exporting information about all users of the system (an operation intended to only be available to the system administrator). • https://www.gruppotim.it/it/footer/red-team.html •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45172
https://notcve.org/view.php?id=CVE-2022-45172
31 Jan 2023 — An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system. Se descubrió... • https://www.gruppotim.it/it/footer/red-team.html • CWE-863: Incorrect Authorization •