CVE-2021-45915

EUVD-2021-32630
In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
luxsoftluxcal
𝑥
< 5.2.0
𝑥
= Vulnerable software versions
References
https://github.com/h1pmnh
https://h1pmnh.github.io/post/cve-luxcal-2021/
https://twitter.com/h1pmnh
https://www.luxsoft.eu/index.php?pge=dload
https://github.com/h1pmnh
https://h1pmnh.github.io/post/cve-luxcal-2021/
https://twitter.com/h1pmnh
https://www.luxsoft.eu/index.php?pge=dload