N/A

ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020

N/A

N/A

ARCHIBUS Web Central 安全漏洞

ARCHIBUS Web Central是ARCHIBUS的一个web网络管理中心，在直观的 Web 浏览器界面中组织设施和基础设施管理任务。所有基础设施数据都存储在一个集中存储库中，以便来自世界任何地方的授权用户都可以输入、编辑和监控这些数据。 ARCHIBUS Web Central 21.3.3.815（2014 年的版本）存在安全漏洞，任何经过身份验证的用户都可以通过 URL 直接请求访问页面来访问管理控制台进行用户管理。

N/A

N/A