Home > Vulnerability Database > WS-2020-0204

Mend.io Vulnerability Database

WS-2020-0204

Good to know:

Date: December 1, 2020

A security vulnerability was found in ezsystems/ez-support-tools 2.2.x before 2.2.3. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is actually required. This means any editor can see core system information, including the output from phpinfo().

Language: PHP

Severity Score

8.3

Related Resources (2)

Url: https://developers.ibexa.co/security-advisories/ibexa-sa-2020-007-failing-access-control-in-system-info-view

Url: https://www.mend.io/vulnerability-database/WS-2020-0204

Severity Score

8.3

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version ezsystems/ez-support-tools - v2.2.3

Learn More

CVSS v3.1

Base Score:	8.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2020-0204

Good to know:

Date: December 1, 2020

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?