Description
A business logic flaw was found in ManageIQ where the read-only values of the Widgets could be altered. An attacker with low privileges could bypass server-side validation by dropping the disabled attribute from the fields.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-10778
Fixed in ivanchuk-7, jansa-1-rc2, master
Description
A business logic flaw was found in ManageIQ where the read-only values of the Widgets could be altered. An attacker with low privileges could bypass server-side validation by dropping the disabled attribute from the fields.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-10778
Fixed in ivanchuk-7, jansa-1-rc2, master