CVE-2021-37214 (GCVE-0-2021-37214)
Vulnerability from cvelistv5
Published
2021-08-09 09:15
Modified
2024-09-17 00:16
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-706 - Use of Incorrectly-Resolved Name or Reference
Summary
The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee's data, modify it, and then obtain administrator privilege and execute arbitrary command.
References
Impacted products
Vendor Product Version
Larvata Digital Technology Co. Ltd. FLYGO Version: unspecified   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:16:03.817Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FLYGO",
          "vendor": "Larvata Digital Technology Co. Ltd.",
          "versions": [
            {
              "lessThanOrEqual": "2021.4e",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-08-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee\u0027s data, modify it, and then obtain administrator privilege and execute arbitrary command."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-706",
              "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-09T09:15:29",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update FLYGO to version 1.91.1"
        }
      ],
      "source": {
        "advisory": "TVN-202108004",
        "discovery": "EXTERNAL"
      },
      "title": "Larvata Digital Technology Co. Ltd. FLYGO - Use of Incorrectly-Resolved Name or Reference-3",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "TWCERT/CC",
          "ASSIGNER": "cve@cert.org.tw",
          "DATE_PUBLIC": "2021-08-09T08:59:00.000Z",
          "ID": "CVE-2021-37214",
          "STATE": "PUBLIC",
          "TITLE": "Larvata Digital Technology Co. Ltd. FLYGO - Use of Incorrectly-Resolved Name or Reference-3"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "FLYGO",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2021.4e"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Larvata Digital Technology Co. Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee\u0027s data, modify it, and then obtain administrator privilege and execute arbitrary command."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-706 Use of Incorrectly-Resolved Name or Reference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html",
              "refsource": "MISC",
              "url": "https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update FLYGO to version 1.91.1"
          }
        ],
        "source": {
          "advisory": "TVN-202108004",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2021-37214",
    "datePublished": "2021-08-09T09:15:30.054953Z",
    "dateReserved": "2021-07-21T00:00:00",
    "dateUpdated": "2024-09-17T00:16:52.168Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-37214\",\"sourceIdentifier\":\"twcert@cert.org.tw\",\"published\":\"2021-08-09T10:15:08.427\",\"lastModified\":\"2024-11-21T06:14:52.737\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee\u0027s data, modify it, and then obtain administrator privilege and execute arbitrary command.\"},{\"lang\":\"es\",\"value\":\"La p\u00e1gina de gesti\u00f3n de empleados de Flygo contiene una vulnerabilidad de tipo Insecure Direct Object Reference (IDOR). Despu\u00e9s de ser autenticado como un usuario general, unos atacantes remotos pueden manipular el ID del empleado en par\u00e1metros espec\u00edficos para acceder arbitrariamente a los datos del empleado, modificarlos, y luego obtener el privilegio de administrador y ejecutar un comando arbitrario\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-706\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:larvata:flygo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.91.1\",\"matchCriteriaId\":\"9ED631EB-5A6C-4C60-B96E-412AB04B0A7B\"}]}]}],\"references\":[{\"url\":\"https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html\",\"source\":\"twcert@cert.org.tw\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.