Unauthenticated API Exploit in Zyxel CloudCNM SecuManager
CVE-2020-15344

5.3MEDIUM

Key Information:

Vendor: Zyxel
Status: Cloudcnm Secumanager
Vendor: CVE Published:; 29 September 2022

What is CVE-2020-15344?

The Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain an unauthenticated API endpoint, zy_get_user_id_and_key, which could allow attackers to exploit sensitive data without prior authentication. This vulnerability poses a significant risk to the integrity of user information and system security, enabling unauthorized access and potential compromise of user accounts.

References

https://pierrekim.github.io/blog/2020-03-09-zyxel-secuman...

x_refsource_MISC

https://www.zyxel.com/support/vulnerabilities-of-CloudCNM...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2022
Vulnerability Reserved
Jun 26, 2020