CVE-2020-14944
published 2020-06-22CVE-2020-14944: Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.34%
92.8th percentile
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of user accounts if successfully exploited. The following vulnerable functions are exposed: ChangePassword, SaveUserProfile, and GetUser.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| globalradar | bsa_radar | <= 1.6.7234.24750 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated or cross-user POST requests to /WS/AjaxWS.asmx/ChangePassword with a UserID parameter differing from the authenticated session's user, indicating account takeover attempts. ↗
- →Detect POST requests to /WS/AjaxWS.asmx/SaveUserProfile where the UserID in the JSON body does not match the session owner; also inspect Firstname and Lastname fields for script injection payloads (stored XSS). ↗
- →Detect POST requests to /WS/AjaxWS.asmx/GetUser with arbitrary userID values being enumerated, which may indicate user account reconnaissance via IDOR. ↗
- →Alert on stored XSS payloads (e.g., script tags or alert() calls) appearing in Firstname or Lastname fields of BSA Radar user profiles, as these render on nearly every application page. ↗
- ·The vulnerable application version is 1.6.7234.24750 and earlier; ensure detections are scoped to this version range. ↗
- ·The application runs on Windows; tune endpoint/host-based detections accordingly. ↗
- ·The three vulnerable ASMX endpoints (ChangePassword, SaveUserProfile, GetUser) are part of an AJAX web service; WAF rules should target the /WS/AjaxWS.asmx path with POST method inspection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)
exploitdb·2020-07-08·CVSS 9.8
CVE-2020-14944 [CRITICAL] BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)
BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)
---
# Exploit title: BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)
# Exploit Author: William Summerhill
# Date: 2020-06-22
# Vendor Homepage:bhttps://www.globalradar.com/
# Version: BSA Radar - Version 1.6.7234.24750 and lower
# CVE: CVE-2020-14944
# Description: The Global RADAR BSA Radar 1.6.7234.X application lacks valid authorization
# controls in multiple functions while logged into the application.
# This can allow for manipulation and takeover of user accounts if successfully exploited.
# The following vulnerable functions are exposed: ChangePassword, SaveUserProfile, GetUser
Proof of Concept:
1. ChangePassword API endpoint - Allows the ability to update the password belonging to
Exploit-DB
BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting
exploitdb·2020-06-24·CVSS 5.4
CVE-2020-14943 [MEDIUM] BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting
BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting
---
# Exploit title: BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting
# Exploit Author: William Summerhill
# Date: 2020-06-22
# Vendor homepage: https://www.globalradar.com/
# Tested on: Window
# CVE-2020-14943
# Description: The "Firstname" and "Lastname" parameters in Global RADAR BSA Radar 1.6.7234.X
# are vulnerable to a stored Cross-Site Scripting (XSS) via the Update User Profile feature
# (in the top-right of the application).
# Proof of Concept:
Using the "update user profile" feature in the top-right of the application while logged in,
a malicious user can inject malicious, unencoded scripts, such as "alert(1)",
into the Firstname and Lastname parameters of a user account. This stored XSS will execute on
nea
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158372/BSA-Radar-1.6.7234.24750-Cross-Site-Request-Forgery.htmlhttps://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilitieshttps://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilities/blob/master/CVE-2020-14944%20-%20Access%20Control%20Vulnerabilities.mdhttp://packetstormsecurity.com/files/158372/BSA-Radar-1.6.7234.24750-Cross-Site-Request-Forgery.htmlhttps://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilitieshttps://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilities/blob/master/CVE-2020-14944%20-%20Access%20Control%20Vulnerabilities.md
2020-06-22
Published