This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical Access Control flaw in Genealogy PHP app. <br>π₯ **Consequences**: Attackers can hijack ownership of genealogy records belonging to other users. Total loss of data integrity and privacy.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-862** (Missing Authorization). <br>π **Flaw**: The application fails to verify if the current user has permission to modify records owned by others.β¦
π₯ **Affected**: **MGeurts / KREAWEB.be** <br>π¦ **Product**: Genealogy (PHP Application) <br>π **Version**: **Pre-5.9.1** (All versions before 5.9.1 are vulnerable).
Q4What can hackers do? (Privileges/Data)
π **Attacker Actions**: <br>1οΈβ£ **Take Ownership**: Transfer any genealogy record to their own account. <br>2οΈβ£ **Modify Data**: Edit or delete others' family trees.β¦
β οΈ **Threshold**: **LOW** for exploitation, but **MEDIUM** for access. <br>π **Auth Required**: Yes (PR:L). The attacker must be a logged-in user. <br>π **Network**: Remote (AV:N). <br>π― **Complexity**: Low (AC:L).β¦
π« **Public Exploit**: **No**. <br>π **PoC**: None available in the provided data. <br>π **Wild Exploit**: Unlikely at this stage due to lack of public PoCs, but the flaw is trivial to exploit manually if authenticated.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1οΈβ£ Check your **Genealogy version**. If < 5.9.1, you are at risk. <br>2οΈβ£ Review **Access Control Logic**: Can User A edit records owned by User B?β¦
π₯ **Urgency**: **HIGH**. <br>π **CVSS**: **9.1** (Critical). <br>β‘ **Action**: **Patch Immediately**. Even though auth is required, the impact (S:C, C:H, I:H, A:H) is devastating for data integrity. Do not wait.