In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2022-05-06T17:30:12.071700Z

Updated: 2024-09-16T20:22:12.620Z

Reserved: 2019-05-21T00:00:00

Link: CVE-2019-12254

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-05-06T18:15:08.397

Modified: 2024-11-21T04:22:29.477

Link: CVE-2019-12254

cve-icon Redhat

No data.