Server-side Vulnerability: Unrestricted Manipulation of Greyed-Out Profile Values in tangro Business Workflow

Server-side Vulnerability: Unrestricted Manipulation of Greyed-Out Profile Values in tangro Business Workflow

CVE-2020-26177 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibited server-side.

Learn more about our Cis Benchmark Audit For Server Software.