HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.
The attacker sends a properly crafted HTTP request, which causes manipulation of the server response (HTTP Response Manipulation). The error classified as CWE-276 (Incorrect Default Permissions) suggests that the permission control mechanism in the application is not properly enforced, which allows bypassing access restrictions. As a result, an unauthenticated remote attacker can obtain a higher privilege level than they are entitled to.
An attacker can obtain unauthorized privilege escalation in the SCRIPT CASE application, which based on the CVSS score indicating complete violation of confidentiality, integrity and availability may result in complete takeover of the application.
Patches available from the vendor should be applied in accordance with the references. It is recommended to monitor official SCRIPT CASE vendor channels and resources indicated in the references (GitHub and besafebrasil.com.br) to obtain information about available updates.
SCRIPT CASE v.1.0.002 Build7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H