First published: 3 October 2024
Last update: 7 October 2024
ID: PDO14718
Affected Components: Fabasoft Cloud
Severity: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, Score=7,7 HIGH
Status: Final
CVEs: -
Users with the appropriate prerequisites can execute non-secured code to obtain all roles using low-code.
An attacker with the permission to write low-code can write an expression to execute non-secure code to assign any role to his user.
The low-code vulnerability is fixed.
A hotfix was applied in the Fabasoft Cloud at 1. September 2024.
First published: 3 October 2024
Last update: 7 October 2024
ID: PDO13286
Affected Components: Fabasoft Cloud
Severity: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, Score: 8.7 HIGH
Status: Final
CVEs: -
Users with the appropriate prerequisites can obtain all roles using low-code.
An attacker with the permission to write low-code can write an expression to assign any role to his user.
The low-code vulnerability is fixed.
A hotfix was applied in the Fabasoft Cloud at 5. June 2024.