Vulnerability Description
An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint, the /settings/guest-settings endpoint, the /settings/samlusers-settings endpoint, and the /settings/users-settings endpoint. A malicious user (already logged in as a SAML User) is able to achieve privilege escalation from a low-privilege user (FGM user) to an administrative user (GGU user), including the administrator, or create new users even without an admin role.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liveboxcloud | Vdesk | <= 018 |
References
- https://www.gruppotim.it/it/footer/red-team.htmlExploitThird Party Advisory
- https://www.gruppotim.it/it/footer/red-team.htmlExploitThird Party Advisory
FAQ
What is CVE-2022-45178?
CVE-2022-45178 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint, the /settings/guest-settings end...
How severe is CVE-2022-45178?
CVE-2022-45178 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-45178?
Check the references section above for vendor advisories and patch information. Affected products include: Liveboxcloud Vdesk.