nvd-json-data-feeds/CVE-2019/CVE-2019-111xx/CVE-2019-11196.json

{
  "id": "CVE-2019-11196",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2019-04-12T03:29:00.497",
  "lastModified": "2020-08-24T17:37:01.140",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "An authentication bypass vulnerability in all versions of ValuePLUS Integrated University Management System (IUMS) allows unauthenticated, remote attackers to gain administrator privileges via the Teachers Web Panel (TWP) User ID or Password field. If exploited, the attackers could perform any actions with administrator privileges (e.g., enumerate/delete all the students' personal information or modify various settings)."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en todas las versiones de Integrated University Management System (IUMS) de ValuePLUS, permite a los atacantes remotos no autenticados alcanzar privilegios de administrador por medio del ID de usuario Teachers Web Panel (TWP) o el campo Password. Si estos son explotados, los atacantes podr\u00edan ejecutar cualquier acci\u00f3n con privilegios de administrador (por ejemplo, enumerar y eliminar toda la informaci\u00f3n personal de los estudiantes o modificar varias configuraciones)."
    }
  ],
  "metrics": {
    "cvssMetricV30": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:vpcsbd:integrated_university_management_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB175D9B-493D-461E-BD0B-D1430876D3EA"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://blog.ziaurrashid.com/sql-injection-auth-bypass-on-iums/",
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}