Vulnerability Details CVE-2020-21991
AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.053
EPSS Ranking 89.6%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
Products affected by CVE-2020-21991
-
cpe:2.3:a:ave:dominaplus:1.10.11
-
cpe:2.3:a:ave:dominaplus:1.10.22
-
cpe:2.3:a:ave:dominaplus:1.10.25
-
cpe:2.3:a:ave:dominaplus:1.10.35
-
cpe:2.3:a:ave:dominaplus:1.10.44
-
cpe:2.3:a:ave:dominaplus:1.10.45
-
cpe:2.3:a:ave:dominaplus:1.10.46
-
cpe:2.3:a:ave:dominaplus:1.10.49
-
cpe:2.3:a:ave:dominaplus:1.10.52
-
cpe:2.3:a:ave:dominaplus:1.10.52a
-
cpe:2.3:a:ave:dominaplus:1.10.60
-
cpe:2.3:a:ave:dominaplus:1.10.62
-
cpe:2.3:a:ave:dominaplus:1.10.64
-
cpe:2.3:a:ave:dominaplus:1.10.65
-
cpe:2.3:a:ave:dominaplus:1.10.77
-
cpe:2.3:h:ave:53ab-wbs:-
-
cpe:2.3:h:ave:ts01:-
-
cpe:2.3:h:ave:ts03x-v:-
-
cpe:2.3:h:ave:ts04x-v:-
-
cpe:2.3:h:ave:ts05:-
-
cpe:2.3:h:ave:ts05n-v:-
-
cpe:2.3:o:ave:53ab-wbs_firmware:1.10.62
-
cpe:2.3:o:ave:ts01_firmware:1.0.65
-
cpe:2.3:o:ave:ts03x-v_firmware:1.10.45a
-
cpe:2.3:o:ave:ts04x-v_firmware:1.10.45a
-
cpe:2.3:o:ave:ts05_firmware:1.10.36
-
cpe:2.3:o:ave:ts05n-v_firmware:-