CVE-2023-36339: RiSec Advisories | WebBoss.io CMS IDOR 2023 [1]

CVE-2023-36339

Vendor

Product

WebBoss.io CMS

Affected Version(s)

Before 3.7.1

Vulnerability Discovery

May 22, 2023

Vendor Notification

May 22, 2023

Advisory Publication

July 21, 2023 [without technical details]

Vendor Fix

59 Days

Public Disclosure

-

Latest Modification

21, July, 2023

CVE Identifier(s)

CVE-2023-36339

Product Description

WebBoss.io CMS is a comprehensive website building platform that helps you seamlessly integrate ecommerce and create responsive websites faster. WebBoss gets your site up and running faster than other platforms of its kind. Whether you need to create e-commerce sites, blogs, or brochure sites, WebBoss has your back.

Credits

Steven Black, Security Analyst, Researcher & Penetration Tester @n0tst3

IDOR - Insecure Direct Object Reference

Severity: Medium

CVSS Score: 9+

CWE-ID: CWE-79

Status: Venndor Patched In 3.7.1

Vulnerability Description

An access control issue in WebBoss.io CMS before v3.7.1 allows attackers to > access the Website Backup Tool via a crafted GET request. > commence a back up request > download the backup

CVSS Base Score

Attack Vector

Network

Scope

N/A

Attack Complexity

Low

Confidentiality Impact

High

Privileges Required

None

Integrity Impact

Low

User Interaction

None

Availability Impact

Low

WebBoss.io CMS has an access control issue before v3.7.1 allowing attackers to > access the Website Backup Tool via a crafted GET request > commence a back up request > download the backup

Top