CVE-2021-37214
HIGHFlygo < 1.91.1 - Authenticated Authorization Bypass and Remote Code Execution via Employee ID Parameter
Title source: llmDescription
The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee's data, modify it, and then obtain administrator privilege and execute arbitrary command.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html
Scores
CVSS v3
8.8
EPSS
0.0106
EPSS Percentile
60.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-639
CWE-706
Status
published
Products (1)
larvata/flygo
< 1.91.1
Published
Aug 09, 2021
Tracked Since
Feb 18, 2026