CVE-2019-13337

{"id": "CVE-2019-13337", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-07-09T20:15:10.713", "references": [{"url": "https://gist.github.com/polkaman/d039fb5236a043907e44efc198d9161c", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gist.github.com/polkaman/d039fb5236a043907e44efc198d9161c", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required."}, {"lang": "es", "value": "En WESEEK GROWI versiones anteriores a 3.5.0, la identificaci\u00f3n b\u00e1sica de todo el sitio se puede omitir agregando un token de acceso del par\u00e1metro URL (este es el par\u00e1metro usado por la API). No se requiere un token v\u00e1lido ya que no est\u00e1 validado por el backend. El sitio web puede ser navegado como si no se requiere de una autenticaci\u00f3n b\u00e1sica."}], "lastModified": "2024-11-21T04:24:44.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weseek:growi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "740F997E-C5AB-460E-ABF3-A81A61BFE75F", "versionEndExcluding": "3.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}