CVE-2021-45915

In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
luxsoftluxcal
𝑥
< 5.2.0
𝑥
= Vulnerable software versions
References
https://github.com/h1pmnh
https://h1pmnh.github.io/post/cve-luxcal-2021/
https://twitter.com/h1pmnh
https://www.luxsoft.eu/index.php?pge=dload
https://github.com/h1pmnh
https://h1pmnh.github.io/post/cve-luxcal-2021/
https://twitter.com/h1pmnh
https://www.luxsoft.eu/index.php?pge=dload