CVE-2020-26679
Summary
| CVE | CVE-2020-26679 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-05-26 12:15:15 UTC |
| Updated | 2026-07-05 00:16:56 UTC |
| Description | vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily determined by other responses from the API for an event or chat room. |
Risk And Classification
Primary CVSS: v3.1 4.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.007920000 probability, percentile 0.518790000 (date 2026-07-05)
Problem Types: CWE-639 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| 2.0 | [email protected] | Primary | 4 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
SingleConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:L/Au:S/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| api.vfairs.com/v1/profiles | af854a3a-2127-422b-91ae-364da2661108 | api.vfairs.com | Vendor Advisory |
| Virtual Events Platform - Host Amazing Online Events - vFairs | af854a3a-2127-422b-91ae-364da2661108 | vfairs.com | Vendor Advisory |
| Zero-Day Vulnerabilities in Popular Event Management Platforms Could Leave MSPs Open to Attack | af854a3a-2127-422b-91ae-364da2661108 | www.huntress.com | Third Party Advisory |
| api.vfairs.com/v1/profiles | af854a3a-2127-422b-91ae-364da2661108 | api.vfairs.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.