A vulnerability, which was classified as critical, has been found in Wisetail Learning Ecosystem up to 4.11.6. This issue affects an unknown part. The manipulation of the argument id as part of a Parameter leads to a file information disclosure vulnerability. Using CWE to declare the problem leads to CWE-538. The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to download non-purchased course files via a modified id parameter.

The bug was discovered 09/13/2018. The weakness was shared 09/12/2018 (Website). It is possible to read the advisory at blog.ziaurrashid.com. The identification of this vulnerability is CVE-2018-16970 since 09/12/2018. The exploitation is known to be easy. The attack may be initiated remotely. A simple authentication is necessary for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1083 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entry 123960 is related to this item.

Productinfo

Vendor

• Wisetail

Name

• Learning Ecosystem

Version

• 4.11.0
• 4.11.1
• 4.11.2
• 4.11.3
• 4.11.4
• 4.11.5
• 4.11.6

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion