cbcvebase.
CVE-2020-14945
published 2020-06-22

CVE-2020-14945: A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.40%
95.5th percentile
A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e., the BankAdmin role) via modified SaveUser data.

Affected

1 ranges
VendorProductVersion rangeFixed in
globalradarbsa_radar<= 1.6.7234.24750

Detection & IOCsextracted from sources · hover to see the quote

url/WS/AjaxWS.asmx/SaveUser
  • Monitor for POST requests to /WS/AjaxWS.asmx/SaveUser originating from non-administrative user sessions, especially where the JSON body contains "Role":"BANKADMIN" — this is the forged privilege escalation payload.
  • Detect low-privileged users calling the SaveUser admin endpoint (intended only for admins to update privileges) rather than the SaveUserProfile endpoint used for normal profile saves — cross-endpoint abuse is the core exploitation mechanism.
  • Alert on any account whose role transitions to BANKADMIN (BankAdmin) without a corresponding administrative action, as successful exploitation grants full administration rights.
  • ·The vulnerability affects BSA Radar version 1.6.7234.24750 and all earlier versions; ensure detection rules are scoped to environments running these versions.
  • ·Exploitation requires an already-authenticated, low-privileged session — unauthenticated access alone is insufficient to trigger this privilege escalation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.