CVE-2020-29031
15.02.2021, 16:15
An Insecure Direct Object Reference vulnerability exists in the web UI of the GateManager which allows an authenticated attacker to reset the password of any user in its domain or any sub-domain, via escalation of privileges. This issue affects all GateManager versions prior to 9.2cEnginsight
| Vendor | Product | Version |
|---|---|---|
| secomea | gatemanager_8250_firmware | 𝑥 < 9.2c |
| secomea | gatemanager_4250_firmware | 𝑥 < 9.0i |
| secomea | gatemanager_4260_firmware | 𝑥 < 9.0i |
| secomea | gatemanager_9250_firmware | 𝑥 < 9.0i |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-280 - Improper Handling of Insufficient Permissions or PrivilegesThe application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.
- CWE-269 - Improper Privilege ManagementThe software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.