In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited…
mitre·CWE-669·Published 2020-12-18
In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibited server-side.
In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibited server-side.
En Tangro Business Workflow versiones anteriores a 1.18.1, el perfil de un usuario contiene algunos elementos que están atenuados y, por lo tanto, no están destinados a ser editados por usuarios habituales. Sin embargo, esta restricción es solo aplicada en el lado del cliente. La manipulación de cualquiera de los valores atenuados en las peticiones a /api/profile no están prohibidas en el lado del servidor.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.0 | 8.0 | 2.9 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
| 3.1 | Primary | cve.org | 4.3 | — | — | CVSS:3.1/AC:L/AV:N/A:N/C:N/I:L/PR:L/S:U/UI:N |
| 3.1 | Primary | cve.org | 4.3 | — | — | CVSS:3.1/AC:L/AV:N/A:N/C:N/I:L/PR:L/S:U/UI:N |
| 3.1 | Primary | NVD | 4.3 | 2.8 | 1.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | Secondary | NVD | 4.3 | 2.8 | 1.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |