CVE-2019-17604

low-risk
Published 2019-11-07

An Insecure Direct Object Reference (IDOR) vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to change other candidates' personal information (first name, last name, email, CV, phone number, and all other personal information) by changing the value of the candidate id (the id parameter).

Do I need to act?

-
0.22% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Eyecms

Affected Vendors

Eyecomms

References (4)

Product http://www.eyecomms.com/Products/eyeCMS.html
Exploit https://gist.github.com/AhMyth/b0f7e4b8244def8eb8d7d8c61fa6d4e5
Product http://www.eyecomms.com/Products/eyeCMS.html
Exploit https://gist.github.com/AhMyth/b0f7e4b8244def8eb8d7d8c61fa6d4e5
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal