AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
References
Link | Resource |
---|---|
https://www.exploit-db.com/exploits/47822 | Exploit Third Party Advisory VDB Entry |
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php | Exploit Third Party Advisory |
https://www.exploit-db.com/exploits/47822 | Exploit Third Party Advisory VDB Entry |
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
History
21 Nov 2024, 05:12
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.exploit-db.com/exploits/47822 - Exploit, Third Party Advisory, VDB Entry | |
References | () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php - Exploit, Third Party Advisory |
Information
Published : 2021-04-28 14:15
Updated : 2024-11-21 05:12
NVD link : CVE-2020-21991
Mitre link : CVE-2020-21991
CVE.ORG link : CVE-2020-21991
JSON object : View
Products Affected
ave
- ts05
- ts05_firmware
- 53ab-wbs_firmware
- dominaplus
- ts01
- ts04x-v
- ts05n-v_firmware
- ts05n-v
- ts01_firmware
- ts03x-v_firmware
- 53ab-wbs
- ts04x-v_firmware
- ts03x-v
CWE
CWE-287
Improper Authentication