CVE-2021-37215 - OpenCVE

The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee’s user data by specifying that employee’s ID in the API parameter.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Larvata	Flygo

Configuration 1 [-]

cpe:2.3:a:larvata:flygo:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-4992-dac66-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2021-08-09T09:15:31.594414Z

Updated: 2024-09-17T02:41:52.763Z

Reserved: 2021-07-21T00:00:00

Link: CVE-2021-37215

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-09T10:15:08.503

Modified: 2022-04-25T19:56:55.260

Link: CVE-2021-37215

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "FLYGO", "vendor": "Larvata Digital Technology Co. Ltd.", "versions": [{"lessThanOrEqual": "2021.4e", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-08-09T00:00:00", "descriptions": [{"lang": "en", "value": "The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee\u2019s user data by specifying that employee\u2019s ID in the API parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-09T09:15:31", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-4992-dac66-1.html"}], "solutions": [{"lang": "en", "value": "Update FLYGO to version 1.91.1"}], "source": {"advisory": "TVN-202108005", "discovery": "EXTERNAL"}, "title": "Larvata Digital Technology Co. Ltd. FLYGO - Use of Incorrectly-Resolved Name or Reference-4", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-08-09T08:59:00.000Z", "ID": "CVE-2021-37215", "STATE": "PUBLIC", "TITLE": "Larvata Digital Technology Co. Ltd. FLYGO - Use of Incorrectly-Resolved Name or Reference-4"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FLYGO", "version": {"version_data": [{"version_affected": "<=", "version_value": "2021.4e"}]}}]}, "vendor_name": "Larvata Digital Technology Co. Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee\u2019s user data by specifying that employee\u2019s ID in the API parameter."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-706 Use of Incorrectly-Resolved Name or Reference"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-4992-dac66-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-4992-dac66-1.html"}]}, "solution": [{"lang": "en", "value": "Update FLYGO to version 1.91.1"}], "source": {"advisory": "TVN-202108005", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:16:03.383Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-4992-dac66-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-37215", "datePublished": "2021-08-09T09:15:31.594414Z", "dateReserved": "2021-07-21T00:00:00", "dateUpdated": "2024-09-17T02:41:52.763Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:larvata:flygo:*:*:*:*:*:*:*:*", "matchCriteriaId": "9ED631EB-5A6C-4C60-B96E-412AB04B0A7B", "versionEndExcluding": "1.91.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee\u2019s user data by specifying that employee\u2019s ID in the API parameter."}, {"lang": "es", "value": "La p\u00e1gina de gesti\u00f3n de empleados de Flygo contiene una vulnerabilidad de tipo Insecure Direct Object Reference (IDOR). Despu\u00e9s de ser autenticado como un usuario general, un atacante remoto puede manipular los datos de usuario y luego sobrescribir los datos de usuario de otro empleado especificando el ID de ese empleado en el par\u00e1metro API"}], "id": "CVE-2021-37215", "lastModified": "2022-04-25T19:56:55.260", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2021-08-09T10:15:08.503", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4992-dac66-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-706"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}