// For flags

CVE-2020-10793

 

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, nor any kind of login or user management facilities beyond a Session library. Also, another reporter indicates the issue is with a custom module/plugin to CodeIgniter, not CodeIgniter itself.

CodeIgniter hasta la versión 4.0.0 permite a los atacantes remotos obtener privilegios a través de un ID de correo electrónico modificado a la página "Seleccionar el rol del usuario". NOTA: Un colaborador del framework CodeIgniter argumenta que el problema no debe ser atribuido a CodeIgniter. Además, la referencia de la publicación del blog muestra un sitio web desconocido construido con el framework CodeIgniter, pero que CodeIgniter no es responsable de la introducción de este problema porque el framework nunca ha proporcionado una pantalla de inicio de sesión, ni ningún tipo de inicio de sesión o facilidades de gestión de usuarios más allá de una biblioteca de sesiones. Además, otro reportero indica que el problema es con un módulo/plugin personalizado para CodeIgniter, no con el propio CodeIgniter

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-03-20 CVE Reserved
  • 2020-03-23 CVE Published
  • 2024-05-02 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-269: Improper Privilege Management
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Codeigniter
Search vendor "Codeigniter"
 Codeigniter
Search vendor "Codeigniter" for product "Codeigniter"
 <= 4.0.0
Search vendor "Codeigniter" for product "Codeigniter" and version " <= 4.0.0"
-
Affected