CVE-2019-6716

An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket Core in LogonBox Nervepoint Access Manager 2013 through 2017 allows a remote attacker to enumerate internal Active Directory usernames and group names, and alter back-end server jobs (backup and synchronization jobs), which could allow for the possibility of a Denial of Service attack via a modified jobId parameter in a runJob.html GET request.
Configurations

Configuration 1

cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg3:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg4:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg5:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg6:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg7:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg8:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg9:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.2:rg10:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.4:rg:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.4:rg1:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.4:rg2:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.4:rg3:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg1:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg2:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg3:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg4:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg5:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg6:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg7:*:*:*:*:*:*
cpe:2.3:a:logonbox:nervepoint_access_manager:1.3:rg8:*:*:*:*:*:*

Information

Published : 2019-03-21 04:01

Updated : 2020-08-24 05:37


NVD link : CVE-2019-6716

Mitre link : CVE-2019-6716

Products Affected
No products.
CWE