Webid
CVE-2024-32166
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - Broken Access Control vulnerability, allowing attackers to buy now an auction that is suspended (horizontal privilege escalation).
AnalysisAI
Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - Broken Access Control vulnerability, allowing attackers to buy now an auction that is suspended (horizontal privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-639. Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - Broken Access Control vulnerability, allowing attackers to buy now an auction that is suspended (horizontal privilege escalation). Affected products include: Webidsupport Webid.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php. Rated critical severity (CVSS 9.8), this vulnerability is
WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. Rated critical severity (CVSS 9.8), this vu
A security issue was discovered in WeBid <=1.2.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exp
WeBid version up to current version 1.2.2 contains a SQL Injection vulnerability in All five yourauctions*.php scripts t
WeBid 1.1.1 allows remote attackers to conduct an LDAP injection attack via the (1) js or (2) cat parameter. Rated high
WeBid version up to current version 1.2.2 contains a Directory Traversal vulnerability in getthumb.php that can result i
WeBid 1.2.2 has reflected XSS via the id parameter to admin/deletenews.php, admin/editbannersuser.php, admin/editfaqscat
WeBid version up to current version 1.2.2 contains a Cross Site Scripting (XSS) vulnerability in user_login.php, registe
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today