Tangro Business Workflow — known CVE vulnerabilities
Every CVE whose affected-product data names Tangro Business Workflow, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (8)
CVE-2020-26174 — CVSS 8.8 (high): tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes…
CVE-2020-26175 — CVSS 6.5 (medium): In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change…
CVE-2020-26178 — CVSS 5.3 (medium): In tangro Business Workflow before 1.18.1, knowing an attachment ID, it is possible to download workitem attachments without being…
CVE-2020-26176 — CVSS 4.3 (medium): An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document/<Document…
CVE-2020-26177 — CVSS 4.3 (medium): In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited…
CVE-2020-26171 — CVSS 4.3 (medium): In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By…
CVE-2020-26172 — CVSS 4.2 (medium): Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a…
CVE-2020-26173 — CVSS 3.1 (low): An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by…