CVE-2022-40319

Published: Jan 17, 2023Modified: Apr 4, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.

Affected (1)

Products: Lsoft: Listserv

Lsoft

1 product

Listserv

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lsoft Listserv	Version 17.0

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://packetstormsecurity.com/2301-exploits/listserv17-idor.txt

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L

Source: cve@mitre.org

Vendor Advisory

https://packetstormsecurity.com/2301-exploits/listserv17-idor.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.