CVE-2020-25966

{"id": "CVE-2020-25966", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-10-28T18:15:13.413", "references": [{"url": "https://gitlab.com/Gazzaz/Spectra_API_Issue/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://sectona.com/products/spectra-privileged-access-management/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value. NOTE: The vendor has indicated this is not a vulnerability and states \"This vulnerability occurred due to wrong configuration of system."}, {"lang": "es", "value": "** EN DISPUTA ** Sectona Spectra versiones anteriores a 3.4.0, presenta un endpoint de la API SOAP vulnerable que filtra informaci\u00f3n confidencial sobre los activos configurados sin la autenticaci\u00f3n apropiada. Esto podr\u00eda ser usado por partes no autorizadas para obtener credenciales de inicio de sesi\u00f3n configuradas de los activos por medio de un valor de pAccountID modificado. NOTA: El proveedor ha indicado que esto no es una vulnerabilidad y afirma \"Esta vulnerabilidad se produjo debido a una configuraci\u00f3n err\u00f3nea del sistema\""}], "lastModified": "2024-08-04T16:15:41.077", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sectona:spectra:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "026F3F29-2933-49AB-AFA3-9081F0470406", "versionEndExcluding": "3.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}