Description
Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOH_AUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let an attacker impersonate as victim and make state changing requests on their behalf.
References (2)
Core 2
Core References
Broken Link x_refsource_misc
https://vivoh.com/wp-content/uploads/2021/11/Vivoh-Webinar-Manager-for-Zoom-Installation-and-Administration-Guide.pdf
Exploit, Vendor Advisory x_refsource_misc
https://vivoh.com/blog/finra-remediation/
Scores
CVSS v3
6.5
EPSS
0.0073
EPSS Percentile
49.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (1)
vivoh/webinar_manager
< 3.6.3.0
Published
Mar 30, 2022
Tracked Since
Feb 18, 2026