Vulnerability-Lookup

CNVD-2021-13936

Vulnerability from cnvd - Published: 2021-03-02

Title

Endalia Selection Portal任意文件上传漏洞

Description

Endalia Selection Portal是西班牙Endalia公司的一个应用软件。提供一个吸引和选拔人才的软件。 Endalia Selection Portal在4.205.0之前版本中存在任意文件上传漏洞。该漏洞源于一个不安全的对象引用允许任何登录的用户通过修改文件标识符来上传任意文件。目前没有详细漏洞细节提供。

Severity

中

Patch Name

Endalia Selection Portal任意文件上传漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新：https://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-35577

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-35577

Impacted products

Name
Endalia Endalia Selection Porta <4.205.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-35577",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-35577"
    }
  },
  "description": "Endalia Selection Portal\u662f\u897f\u73ed\u7259Endalia\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u63d0\u4f9b\u4e00\u4e2a\u5438\u5f15\u548c\u9009\u62d4\u4eba\u624d\u7684\u8f6f\u4ef6\u3002\n\nEndalia Selection Portal\u57284.205.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e00\u4e2a\u4e0d\u5b89\u5168\u7684\u5bf9\u8c61\u5f15\u7528\u5141\u8bb8\u4efb\u4f55\u767b\u5f55\u7684\u7528\u6237\u901a\u8fc7\u4fee\u6539\u6587\u4ef6\u6807\u8bc6\u7b26\u6765\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1ahttps://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-35577",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-13936",
  "openTime": "2021-03-02",
  "patchDescription": "Endalia Selection Portal\u662f\u897f\u73ed\u7259Endalia\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u63d0\u4f9b\u4e00\u4e2a\u5438\u5f15\u548c\u9009\u62d4\u4eba\u624d\u7684\u8f6f\u4ef6\u3002\r\n\r\nEndalia Selection Portal\u57284.205.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e00\u4e2a\u4e0d\u5b89\u5168\u7684\u5bf9\u8c61\u5f15\u7528\u5141\u8bb8\u4efb\u4f55\u767b\u5f55\u7684\u7528\u6237\u901a\u8fc7\u4fee\u6539\u6587\u4ef6\u6807\u8bc6\u7b26\u6765\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Endalia Selection Portal\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Endalia Endalia Selection Porta \u003c4.205.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-35577",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-20",
  "title": "Endalia Selection Portal\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e"
}

CVE-2020-35577 (GCVE-0-2020-35577)

Vulnerability from cvelistv5 – Published: 2021-02-18 13:43 – Updated: 2024-08-04 17:09

Summary

In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier (aka CommonDownload identification number).

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.endalia.com/en/software/	x_refsource_MISC
	https://github.com/blackarrowsec/advisories/tree/…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:09:14.881Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.endalia.com/en/software/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-35577"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier (aka CommonDownload identification number)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-18T13:43:31.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.endalia.com/en/software/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-35577"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-35577",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier (aka CommonDownload identification number)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.endalia.com/en/software/",
              "refsource": "MISC",
              "url": "https://www.endalia.com/en/software/"
            },
            {
              "name": "https://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-35577",
              "refsource": "MISC",
              "url": "https://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-35577"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-35577",
    "datePublished": "2021-02-18T13:43:31.000Z",
    "dateReserved": "2020-12-20T00:00:00.000Z",
    "dateUpdated": "2024-08-04T17:09:14.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-13936

CVE-2020-35577 (GCVE-0-2020-35577)

Tags

Sightings

Nomenclature