A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.
Metrics
CVSS Version: 3.1 |
Base Score: 5.3 MEDIUM Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-ID: CWE-639 CWE Name: The system
s authorization functionality does not prevent one user from gaining access to another user
s data or record by modifying the key value identifying the data. Source: Palantir
Common Attack Pattern Enumeration and Classification (CAPEC)
CAPEC-ID: CAPEC-233 CAPEC Description: An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.