uPortal before 4.0.13.1 does not properly check the MANAGE permissions, which allows remote authenticated users to manage arbitrary portlets by leveraging the SUBSCRIBE permission for the portlet-admin portlet.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | php54 | 2015-07-07 12:39 | ALAS-2015-561 |
Amazon Linux 1 | php55 | 2015-07-07 12:40 | ALAS-2015-562 |
Amazon Linux 1 | php56 | 2015-07-07 12:40 | ALAS-2015-563 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 6.5 | AV:N/AC:L/Au:S/C:P/I:P/A:P |
NVD | CVSSv2 | 6.5 | AV:N/AC:L/Au:S/C:P/I:P/A:P |