CVE-2020-13421 — CVSS 9.8 (critical): OpenIAM before 4.2.0.3 has Incorrect Access Control for the Create User, Modify User Permissions, and Password Reset actions.
CVE-2020-13422 — CVSS 8.1 (high): OpenIAM before 4.2.0.3 does not verify if a user has permissions to perform /webconsole/rest/api/* administrative actions.