The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site.
The Evolution Controller web application does not require authentication to perform operations on user profiles. Incorrect configuration of the access control mechanism (CWE-284) allows an unauthenticated attacker to send requests to user management endpoints. As a result, an attacker can create new accounts or modify existing profiles, and then log in with full privileges.
An attacker without any authentication can gain full access to the Evolution Controller application, including user management and all system functions. This results in a complete breach of confidentiality, integrity, and availability of the application.
Patches available from the manufacturer should be applied according to the references. It is also recommended to restrict access to the Evolution Controller web interface only to trusted networks or IP addresses at the firewall level until the update is deployed.
Cs-Technologies Evolution Controller in version 2.04.560.31.03.2024 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCs Technologies Evolution
APPCs-Technologies≤ 2.04.560
Related vulnerabilities
Domyślne dane logowania w Evolution Controller 2.x umożliwiają pełen dostęp administracyjny
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below does not proper sanitize user...
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured ac...
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured ac...
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management,...