La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Improper Access Control (Export of Users)- CWE-284
Software Version: <= v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45180
CVSv3: 6.5
Severity: Medium
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk through v018.Broken Access Control exists under the /api/v1/vdesk_{DOMAIN]/export endpoint.A malicious user, authenticated to the product without any specific privilege, can use the API for exporting information about all users of the system (an operation intended to only be available to the system administrator).
Step-by-step instructions and PoC
A malicious user, authenticated to Collaboration vDesk without any specific privilege, can
use the API for exporting the information about all the users of the system.
Affected Endpoints
· https://vdeskbridge.[HOSTNAME]/api/v1/vdesk_[DOMAIN] /export
Payload used by an attacker to create arbitrary guest users without authentication:
Figure 4 Detail of the request and response. In the response we can see (highlighted in yellow) the information of the users encoded in base64.
Security Impact
This vulnerability would allow an attacker, authenticated as guest, to export the data of all
the users registered in the system.