CVE-2019-17202
HIGHFastTrack Admin By Request < 6.2.0.0 - Unauthenticated Privilege Escalation via PIN Bypass
Title source: llmDescription
FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies, they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge's response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users, and thus any user can elevate to Administrator privilege.
References (2)
Core 2
Core References
Third Party Advisory
https://improsec.com/en/responsible-disclosure
Various Sources
https://www.adminbyrequest.com/en/releasenotes
Scores
CVSS v3
7.8
EPSS
0.0026
EPSS Percentile
17.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
Status
published
Products (1)
fasttracksoftware/admin_by_request
< 6.2.0.0
Published
Jan 23, 2020
Tracked Since
Feb 18, 2026