Lucene search

MitreCVE-2020-14017

HistoryJun 24, 2020 - 3:15 p.m.

CVE-2020-14017

2020-06-2415:15:12

CWE-312

mitre

web.nvd.nist.gov

cve-2020-14017

navigate cms

security issue

session management

csrf token

cleartext storage

unauthenticated access

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

High

EPSS

0.004

Percentile

74.9%

JSON

An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well as associated information such as CSRF tokens, are stored in cleartext files in the directory /private/sessions. An unauthenticated user could use a brute-force approach to attempt to identify existing sessions, or view the contents of this file to discover details about a session.

Affected configurations

Nvd

Node

naviwebsnavigate_cmsMatch2.9r1433

VendorProductVersionCPE
naviwebsnavigate_cms2.9cpe:2.3:a:naviwebs:navigate_cms:2.9:r1433:*:*:*:*:*:*

Vendor	Product	Version	CPE
naviwebs	navigate_cms	2.9	cpe:2.3:a:naviwebs:navigate_cms:2.9:r1433::::::

References

blog.sean-wright.com/navigate-cms/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

High

EPSS

0.004

Percentile

74.9%

JSON

Related for CVE-2020-14017