CVE-2020-19778

EUVD-2020-11676
Incorrect Access Control in Shopxo v1.4.0 and v1.5.0 allows remote attackers to gain privileges in "/index.php" by manipulating the parameter "user_id" in the HTML request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
shopxoshopxo
1.4.0
shopxoshopxo
1.5.0
𝑥
= Vulnerable software versions
References
https://cwe.mitre.org/data/definitions/472.html
https://github.com/gongfuxiang/shopxo/issues/23
https://cwe.mitre.org/data/definitions/472.html
https://github.com/gongfuxiang/shopxo/issues/23