Home > Vulnerability Database > CVE-2019-13337

Mend.io Vulnerability Database

CVE-2019-13337

Date: July 9, 2019

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.

Language: JS

Severity Score

7.5

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-13337

Url: https://gist.github.com/polkaman/d039fb5236a043907e44efc198d9161c

Url: https://www.mend.io/vulnerability-database/CVE-2019-13337

Severity Score

7.5

Weakness Type (CWE)

Authorization Bypass Through User-Controlled Key

CWE-639

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-13337

Date: July 9, 2019

Language: JS

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?