{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-03-21T00:00:00", "descriptions": [{"lang": "en", "value": "CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the \"Select Role of the User\" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, nor any kind of login or user management facilities beyond a Session library. Also, another reporter indicates the issue is with a custom module/plugin to CodeIgniter, not CodeIgniter itself."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-20T20:09:57", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297"}, {"tags": ["x_refsource_MISC"], "url": "https://codeigniter4.github.io/userguide/extending/authentication.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-10793", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the \"Select Role of the User\" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, nor any kind of login or user management facilities beyond a Session library. Also, another reporter indicates the issue is with a custom module/plugin to CodeIgniter, not CodeIgniter itself."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://medium.com/@vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297", "refsource": "MISC", "url": "https://medium.com/@vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297"}, {"name": "https://codeigniter4.github.io/userguide/extending/authentication.html", "refsource": "MISC", "url": "https://codeigniter4.github.io/userguide/extending/authentication.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:15.590Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://medium.com/%40vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://codeigniter4.github.io/userguide/extending/authentication.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-10793", "datePublished": "2020-03-23T14:12:20", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:15.590Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4B558D8-2991-4D71-8E3E-A5166E4B4F78", "versionEndIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the \"Select Role of the User\" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, nor any kind of login or user management facilities beyond a Session library. Also, another reporter indicates the issue is with a custom module/plugin to CodeIgniter, not CodeIgniter itself."}, {"lang": "es", "value": "CodeIgniter hasta la versi\u00f3n 4.0.0 permite a los atacantes remotos obtener privilegios a trav\u00e9s de un ID de correo electr\u00f3nico modificado a la p\u00e1gina \"Seleccionar el rol del usuario\". NOTA: Un colaborador del framework CodeIgniter argumenta que el problema no debe ser atribuido a CodeIgniter. Adem\u00e1s, la referencia de la publicaci\u00f3n del blog muestra un sitio web desconocido construido con el framework CodeIgniter, pero que CodeIgniter no es responsable de la introducci\u00f3n de este problema porque el framework nunca ha proporcionado una pantalla de inicio de sesi\u00f3n, ni ning\u00fan tipo de inicio de sesi\u00f3n o facilidades de gesti\u00f3n de usuarios m\u00e1s all\u00e1 de una biblioteca de sesiones. Adem\u00e1s, otro reportero indica que el problema es con un m\u00f3dulo/plugin personalizado para CodeIgniter, no con el propio CodeIgniter"}], "id": "CVE-2020-10793", "lastModified": "2024-11-21T04:56:05.160", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-23T15:15:14.720", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://codeigniter4.github.io/userguide/extending/authentication.html"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://codeigniter4.github.io/userguide/extending/authentication.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://medium.com/%40vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}