CVE-2022-23856

Published: Jan 24, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An attacker can enumerate users by changing the id parameter, such as for the ECM/maintenance/forgotpasswordstep1 URI.

Affected (1)

Products: Saviynt: Enterprise Identity Cloud

Saviynt

1 product

Enterprise Identity Cloud

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Saviynt Enterprise Identity Cloud	All versions

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://www.kb.cert.org/vuls/id/692873

Source: cve@mitre.org

ExploitThird Party AdvisoryUS Government Resource

https://www.kb.cert.org/vuls/id/692873

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryUS Government Resource

Timeline

No history available yet.