CVE-2021-37270

There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/purple-WL/S-cms-Unauthorized	Third Party Advisory
https://www.cnvd.org.cn/flaw/show/2815129	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:s-cms:cms_enterprise_website_construction_system:5.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-09-27 21:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-37270

Mitre link : CVE-2021-37270

CVE.ORG link : CVE-2021-37270

JSON object : View

Products Affected

s-cms

cms_enterprise_website_construction_system

CWE

CWE-862

Missing Authorization

{"id": "CVE-2021-37270", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-09-27T21:15:07.927", "references": [{"url": "https://github.com/purple-WL/S-cms-Unauthorized", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.cnvd.org.cn/flaw/show/2815129", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de acceso no autorizado en CMS Enterprise Website Construction System versi\u00f3n 5.0. Unos atacantes pueden usar esta vulnerabilidad para acceder directamente a la ruta de fondo especificada sin iniciar sesi\u00f3n en el fondo para obtener la autoridad de administrador en segundo plano"}], "lastModified": "2021-10-06T16:11:34.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:s-cms:cms_enterprise_website_construction_system:5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EEA82B7-0A98-4F40-8192-95060E55354A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}