Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOH_AUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let an attacker impersonate as victim and make state changing requests on their behalf.
References
Link | Resource |
---|---|
https://vivoh.com/blog/finra-remediation/ | Exploit Vendor Advisory |
https://vivoh.com/wp-content/uploads/2021/11/Vivoh-Webinar-Manager-for-Zoom-Installation-and-Administration-Guide.pdf | Broken Link |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-03-30T21:38:55
Updated: 2022-03-30T21:38:55
Reserved: 2021-12-27T00:00:00
Link: CVE-2021-45900
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-03-30T22:15:08.447
Modified: 2022-04-06T00:14:01.320
Link: CVE-2021-45900
JSON object: View
Redhat Information
No data.
CWE