CVE-2021-42116 - OpenCVE

Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Businessdnasolutions	Topease

Configuration 1 [-]

cpe:2.3:a:businessdnasolutions:topease:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://confluence.topease.ch/confluence/display/DOC/Release+Notes

History

No history.

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2021-11-30T11:28:08

Updated: 2024-08-04T03:22:25.987Z

Reserved: 2021-10-08T00:00:00

Link: CVE-2021-42116

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-30T12:15:07.703

Modified: 2023-11-07T03:39:06.887

Link: CVE-2021-42116

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "TopEase", "vendor": "Business-DNA Solutions GmbH", "versions": [{"lessThanOrEqual": "7.1.27", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "SIX Group Services AG, Cyber Controls"}], "descriptions": [{"lang": "en", "value": "Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-30T11:28:08", "orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"}], "source": {"discovery": "EXTERNAL"}, "title": "Unauthorized Menu Item Access in TopEase", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2021-42116", "STATE": "PUBLIC", "TITLE": "Unauthorized Menu Item Access in TopEase"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TopEase", "version": {"version_data": [{"version_affected": "<=", "version_value": "7.1.27"}]}}]}, "vendor_name": "Business-DNA Solutions GmbH"}]}}, "credit": [{"lang": "eng", "value": "SIX Group Services AG, Cyber Controls"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes", "refsource": "CONFIRM", "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:22:25.987Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"}]}]}, "cveMetadata": {"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "assignerShortName": "NCSC.ch", "cveId": "CVE-2021-42116", "datePublished": "2021-11-30T11:28:08", "dateReserved": "2021-10-08T00:00:00", "dateUpdated": "2024-08-04T03:22:25.987Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:businessdnasolutions:topease:*:*:*:*:*:*:*:*", "matchCriteriaId": "5586486C-6AB4-4357-A17C-7957140EAB27", "versionEndIncluding": "7.1.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means."}, {"lang": "es", "value": "Un control de acceso incorrecto en las aplicaciones web que operan en la plataforma TopEase\u00ae de Business-DNA Solutions GmbH, versiones anteriores a 7.1.27 incluy\u00e9ndola, permite a un atacante remoto autenticado visualizar el editor de formas y la configuraci\u00f3n, que son funcionalidades para usuarios con mayores privilegios, por medio de la identificaci\u00f3n de dichos componentes en el c\u00f3digo fuente del front-end o por otros medios"}], "id": "CVE-2021-42116", "lastModified": "2023-11-07T03:39:06.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2021-11-30T12:15:07.703", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}