CVE-2022-45172

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system.

Se descubrió un problema en LIVEBOX Collaboration vDesk antes de v018. El control de acceso roto puede ocurrir en el endpoint /api/v1/registration/validateEmail, el endpoint /api/v1/vdeskintegration/user/adduser y el endpoint /api/v1/registration/changePasswordUser. La aplicación web se ve afectada por fallas en la lógica de autorización, a través de las cuales un usuario malintencionado (sin privilegios) puede realizar una escalada de privilegios al rol de administrador y robar las cuentas de cualquier usuario en el sistema.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-11-11 CVE Reserved
2023-01-31 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-08-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-863: Incorrect Authorization

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://www.gruppotim.it/it/footer/red-team.html	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Liveboxcloud Search vendor "Liveboxcloud"		Vdesk Search vendor "Liveboxcloud" for product "Vdesk"				< 018 Search vendor "Liveboxcloud" for product "Vdesk" and version " < 018"		-		Affected