Broken access control
Vulnerability details
A vulnerability has been identified in the web administration interface for SNS products. An administrator can write some of the configuration settings even if another user with administration rights is logged in with write access privileges.
Impacted products
Revisions
Version |
Date |
Description |
v1 |
07/15/2024 |
Initial release |
v2 |
09/24/2024 |
Update and Disclosed |
Stormshield Network Security |
CVSS v3.1 Overall Score: 1.5
|
Analysis
|
Impacted version
|
The SNS web interface allows only to have one administrator with writing access at the same time. If a user with administration privileges wants to perform writing operations while another administrator has the lock, it’s impossible to write. However some commands can be executed despite of the lock.
|
- SNS 4.8.2
- SNS 4.6.0 to 4.7.6
- SNS 4.3.0 to 4.3.27
- SNS 3.11.0 to 3.11.29
- SNS 3.7.0 to 3.7.41
|
Workaround solution
|
Solution
|
There is no workaround solution.
|
The following versions fix this vulnerability:
- 4.8.3
- 4.7.7
- 4.3.28
- 3.11.30
- 3.7.42
|
Attack Vector |
Attack Complexity |
Privileges Required |
User Interaction |
Scope |
Confidentiality Impact |
Integrity Impact |
Availability impact |
Local |
Low |
High |
None |
Unchanged |
None |
Low |
None |
Exploit Code Maturity |
Remediation Level |
Report Confidence |
Proof of concept code |
Official fix |
Confirmed |
Confidentiality Requirement |
Integrity Requirement |
Availability Requirement |
Medium |
Low |
Low |
Acknowledgements
This vulnerability has been discovered by researchers nicovell3 and borgi.