WebBoss.io CMS IDOR 2023 [1]
CVE-2023-36339
| Vendor |
 WebBoss.io
|
| Product | WebBoss.io CMS |
| Affected Version(s) | Before 3.7.0.1 |
| Vulnerability Discovery | May 22, 2023 |
| Vendor Notification | May 22, 2023 |
| Advisory Publication | July 21, 2023 [without technical details] |
| Vendor Fix | 59 Days |
| Public Disclosure | - |
| Latest Modification | 21, July, 2023 |
| CVE Identifier(s) | CVE-2023-36339 |
| Product Description | WebBoss.io CMS is a comprehensive website building platform that helps you seamlessly integrate ecommerce and create responsive websites faster. WebBoss gets your site up and running faster than other platforms of its kind. Whether you need to create e-commerce sites, blogs, or brochure sites, WebBoss has your back. |
| Credits | Steven Black, Security Analyst, Researcher & Penetration Tester @n0tst3 |
Vulnerability Details
| IDOR - Insecure Direct Object Reference | |||
| Severity: High | CVSS Score: 9+ | CWE-ID: CWE-284 | Status: Venndor Patched In 3.7.0.1 |
| Vulnerability Description | |||
| An access control issue in WebBoss.io CMS before v3.7.0.1 allows attackers to > access the Website Backup Tool via a crafted GET request. > commence a back up request > download the backup | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | N/A |
| Attack Complexity | Low | Confidentiality Impact | High |
| Privileges Required | None | Integrity Impact | Low |
| User Interaction | None | Availability Impact | Low |
Description
WebBoss.io CMS has an access control issue before v3.7.0.1 allowing attackers to > access the Website Backup Tool via a crafted GET request > commence a back up request > download the backup