[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<\/span><\/p>\n <\/span>Advisory ID<\/strong>: usd-2018-0015<\/span> The vulnerability considered here, is the lack of access control on individual users access rights within the database. Once the database is made accessible with the user credentials, irrespective of the privilege level of the user, it is possible to alter data, which should have been otherwise forbidden or hindered. The vulnerability, by design, has serious implications since this allows any user with access to database to alter crucial contents, for example, properties of other users such as name and the group id. This has a broad spectrum of potential impacts, ranging from changing a user\u2019s description to changing the group id and properties. This indicates an easily available method to grant higher privileges to self or alternatively to lower the privileges of an admin level user.<\/span><\/p>\n
CVE Number<\/strong>: N\/A<\/span>
Affected Product<\/strong>: Lexware Professional 2017<\/span>
Affected Version<\/strong>: 17.02<\/span>
Vulnerability Type<\/strong>: Improper\/Missing Access Control<\/span>
Security Risk<\/strong>: Critical<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/shop.lexware.de\/reisekosten-abrechnung<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n