Server-side Vulnerability: Unrestricted Manipulation of Greyed-Out Profile Values in tangro Business Workflow
CVE-2020-26177 · MEDIUM Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibited server-side.
Learn more about our Cis Benchmark Audit For Server Software.