{ "id": "CVE-2020-28403", "sourceIdentifier": "cve@mitre.org", "published": "2021-01-29T07:15:16.390", "lastModified": "2021-02-01T14:14:32.147", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative role or remove the administrative account of the application." }, { "lang": "es", "value": "Se presenta una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Star Practice Management Web versi\u00f3n 2019.2.0.6, que permite a un atacante cambiar los privilegios de cualquier usuario de la aplicaci\u00f3n. Esto puede ser usado para otorgarse un rol administrativo o eliminar la cuenta administrativa de la aplicaci\u00f3n" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.8, "impactScore": 5.9 }, { "source": "cve@mitre.org", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.1, "impactScore": 5.9 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-352" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:iris:star:2019.2.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "CA4E68A0-F7AB-4470-9ED3-8441C5A8881C" } ] } ] } ], "references": [ { "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-28403", "source": "cve@mitre.org", "tags": [ "Third Party Advisory" ] }, { "url": "https://www.starpracticemanagement.com/", "source": "cve@mitre.org", "tags": [ "Product" ] } ] }