Joel Aviad OssiIn August, two old reserved CVE numbers where allowed to be published by the manifacturer.
WebSec filed for a CVE update request at MITRE as more details is now allowed to be published.
Software - iPortalis
CVE-2020-9002 - Improper Input Validation
Description:
It was possible to change the user role from COMPANY_USER to DOMAIN_ADMIN which is a role which is not listed by default for lower privileged users, this resulted in privilege escalation.
CVE-2020-9000 - Uncontrolled Resource Consumption
Description:
It was possible to generate stack trace erros which increased the log size
on the server, the log file gets deleted after every 24 hours however this is sufficient time for an attacker to exhaust the server's memory using automated tools.
