La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-45180

CVE-2022-45180 – LiveBox Collaboration vDesk

Vulnerability Description: Improper Access Control (Export of Users)- CWE-284

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45180

CVSv3: 6.5

Severity: Medium

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk through v018.Broken Access Control exists under the /api/v1/vdesk_{DOMAIN]/export endpoint.A malicious user, authenticated to the product without any specific privilege, can use the API for exporting information about all users of the system (an operation intended to only be available to the system administrator).

Step-by-step instructions and PoC

A malicious user, authenticated to Collaboration vDesk without any specific privilege, can
use the API for exporting the information about all the users of the system.

Affected Endpoints

·       https://vdeskbridge.[HOSTNAME]/api/v1/vdesk_[DOMAIN] /export

Payload used by an attacker to create arbitrary guest users without authentication:

Figure 4 Detail of the request and response. In the response we can see (highlighted in yellow) the information of the users encoded in base64.

 

Click to Enlarge

 

Security Impact

This vulnerability would allow an attacker, authenticated as guest, to export the data of all
the users registered in the system.