CVE-2020-10507 - OpenCVE

The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Unrestricted file upload (RCE) , that would allow attackers to gain access in the hosting machine.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
The School Manage System Project	The School Manage System

Configuration 1 [-]

cpe:2.3:a:the_school_manage_system_project:the_school_manage_system:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d
https://www.twcert.org.tw/tw/cp-132-3532-26d71-1.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2020-04-15T00:00:00

Updated: 2020-04-30T17:17:11

Reserved: 2020-03-12T00:00:00

Link: CVE-2020-10507

JSON object: View

NVD Information

Status : Modified

Published: 2020-04-15T07:15:12.753

Modified: 2020-04-30T18:15:13.300

Link: CVE-2020-10507

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "School Manage System", "vendor": "ALLE INFORMATION CO., LTD.", "versions": [{"status": "affected", "version": "before 2020"}]}], "datePublic": "2020-04-15T00:00:00", "descriptions": [{"lang": "en", "value": "The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Unrestricted file upload (RCE) , that would allow attackers to gain access in the hosting machine."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Security Misconfiguration", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-30T17:17:11", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.twcert.org.tw/tw/cp-132-3532-26d71-1.html"}], "solutions": [{"lang": "en", "value": "Contact ALLE INFORMATION CO., LTD. for vulnerabilities patch."}], "source": {"discovery": "UNKNOWN"}, "title": "ALLE INFORMATION CO., LTD. School Manage System - Security Misconfiguration", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2020-04-15T05:30:00.000Z", "ID": "CVE-2020-10507", "STATE": "PUBLIC", "TITLE": "ALLE INFORMATION CO., LTD. School Manage System - Security Misconfiguration"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "School Manage System", "version": {"version_data": [{"version_value": "before 2020"}]}}]}, "vendor_name": "ALLE INFORMATION CO., LTD."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Unrestricted file upload (RCE) , that would allow attackers to gain access in the hosting machine."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Security Misconfiguration"}]}]}, "references": {"reference_data": [{"name": "https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d", "refsource": "CONFIRM", "url": "https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d"}, {"name": "https://www.twcert.org.tw/tw/cp-132-3532-26d71-1.html", "refsource": "CONFIRM", "url": "https://www.twcert.org.tw/tw/cp-132-3532-26d71-1.html"}]}, "solution": [{"lang": "en", "value": "Contact ALLE INFORMATION CO., LTD. for vulnerabilities patch."}], "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2020-10507", "datePublished": "2020-04-15T00:00:00", "dateReserved": "2020-03-12T00:00:00", "dateUpdated": "2020-04-30T17:17:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:the_school_manage_system_project:the_school_manage_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "6EAA067C-7930-48F8-8C95-497A19B2BD7E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Unrestricted file upload (RCE) , that would allow attackers to gain access in the hosting machine."}, {"lang": "es", "value": "El sistema de gesti\u00f3n escolar antes de 2020, desarrollado por ALLE INFORMATION CO., LTD., Contiene una vulnerabilidad de carga de archivos sin restricciones (RCE), que permitir\u00eda a los atacantes obtener acceso en la m\u00e1quina del host ."}], "id": "CVE-2020-10507", "lastModified": "2020-04-30T18:15:13.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2020-04-15T07:15:12.753", "references": [{"source": "twcert@cert.org.tw", "url": "https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-3532-26d71-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}