Описание
In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieves access to the precluded functions.
Ссылки
- Third Party Advisory
- Vendor Advisory
- Third Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 6.1.0.0 (включая) до 6.9.3.3 (исключая)
cpe:2.3:a:rsa:archer:*:*:*:*:*:*:*:*
EPSS
Процентиль: 48%
0.00247
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
NVD-CWE-noinfo
Связанные уязвимости
CVSS3: 6.5
github
почти 4 года назад
In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieves access to the precluded functions.
EPSS
Процентиль: 48%
0.00247
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
NVD-CWE-noinfo