SB2020090408 - Multiple vulnerabilities in ForLogic Qualiex

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-24028)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated attacker can gain elevated privileges via user creations, password changes, or user permission updates.

2) Insufficient Session Expiration (CVE-ID: CVE-2020-24030)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient session expiration issue. A remote non-authenticated attacker can obtain or guess session token and gain unauthorized access to session that belongs to another user.

3) Improper access control (CVE-ID: CVE-2020-24029)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can send a simple request and access customer and admin permissions.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://forlogic.net
• https://github.com/underprotection/CVE-2020-24028
• https://qualiex.com
• https://github.com/underprotection/CVE-2020-24030
• https://github.com/underprotection/CVE-2020-24029