CVE-2024-9970

Oct. 17, 2024, 8:33 p.m.

CVSS Score

8.8 / 10

Products Impacted

Vendor Product Versions
newtype
  • flowmaster_bpm_plus
  • *

Description

The FlowMaster BPM Plus system from NewType has a privilege escalation vulnerability. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specific cookie.

Weaknesses

CWE-565
Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

CWE ID: 565

Date

Published: Oct. 15, 2024, 4:15 a.m.

Last Modified: Oct. 17, 2024, 8:33 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

twcert@cert.org.tw

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a newtype flowmaster_bpm_plus / / / / / / / /

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score
8.8
Exploitability Score
2.8
Impact Score
5.9
Base Severity
HIGH
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References