CVE-2021-29024
Description
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication.
References
ExploitIssue TrackingThird Party Advisory
CvssV3 impact
BaseSeverity | HIGH |
ConfidentialityImpact | HIGH |
AttackComplexity | LOW |
Scope | UNCHANGED |
AttackVector | NETWORK |
AvailabilityImpact | NONE |
IntegrityImpact | NONE |
PrivilegesRequired | NONE |
BaseScore | 7.5 |
VectorString | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Version | 3.1 |
UserInteraction | NONE |
CvssV2 impact
AccessComplexity | LOW |
ConfidentialityImpact | PARTIAL |
AvailabilityImpact | NONE |
IntegrityImpact | NONE |
BaseScore | 5 |
VectorString | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Version | 2.0 |
AccessVector | NETWORK |
Authentication | NONE |