CVE-2023-40362

MEDIUM

Centralsquare Click2gov Building Permit - Missing Authorization

Title source: rule

Description

An issue was discovered in CentralSquare Click2Gov Building Permit before October 2023. Lack of access control protections allows remote attackers to arbitrarily delete the contractors from any user's account when the user ID and contractor information is known.

Exploits (1)

nomisec WORKING POC 1 stars

by ally-petitt · poc

https://github.com/ally-petitt/CVE-2023-40362

View Code ZIP pw:eip

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/ally-petitt/CVE-2023-40362

Press/Media Coverage, Vendor Advisory

https://www.classaction.org/news/centralsquare-hit-with-class-action-over-2017-2018-click2gov-data-breach

Scores

CVSS v3 4.3

EPSS 0.0614

EPSS Percentile 90.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

centralsquare/click2gov_building_permit

Published Jan 12, 2024

Tracked Since Feb 18, 2026