Headline
CVE-2023-2544: Authorization Bypass Upv Peix | INCIBE-CERT
Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.
Affected Resources
UPV PEIX
Description
INCIBE has coordinated the publication of a vulnerability in UPV PEIX, an internship management system at the School of Computer Engineering of the Universitat Politècnica de València (UPV), which has been discovered by Pablo Alcarria Lozano and Germán Planells García.
The following code has been assigned to this vulnerability:
- CVE-2023-2544:
- CVSS v3.1 base score: 5,3.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
- Vulnerability type: CWE-639: authorization bypass through user-controlled key.
Solution
This vulnerability has been fixed in August 2022.
Detail
- CVE-2023-2544: authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.