SB2020091425 - Multiple vulnerabilities in Hyland OnBase
Published: September 14, 2020 Updated: September 15, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: CVE-2020-25260)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the SOAP messages. A remote authenticated attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Path traversal (CVE-ID: CVE-2020-25248)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the "FileName" parameter. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
3) Path traversal (CVE-ID: CVE-2020-25247)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the "FileName" parameter. A remote attacker can send a specially crafted HTTP request and write arbitrary files on the system.
4) Insufficient Logging (CVE-ID: CVE-2020-25249)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected software relies on the client-side to log failures. A remote attacker can use clients such as the Unity Client, drop the "log" request that is sent to the server and write arbitrary data to the server logs.
5) Improper Output Neutralization for Logs (CVE-ID: CVE-2020-25255)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected software fails to properly sanitize data before writing it to the logs. A remote attacker can create arbitrary log entries on behalf of any user, with or without authenticating and cause a denial of service conditon on the target system.
6) Deserialization of Untrusted Data (CVE-ID: CVE-2020-25258)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in ASP.NET's "BinaryFormatter.Deserialize". A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2020-25256)
The vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to the affected software contains a number of hardcoded key materials, such as PKI certifikates. A remote attacker can use these hardcoded certificates, which included the pubic and private keys, to encrypt and decrypt data.
8) SQL injection (CVE-ID: CVE-2020-25254)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "TestConnection_LocalOrLinkedServer", "CreateFilterFriendlyView" and "AddWorkViewLinkedServer". A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
9) SQL injection (CVE-ID: CVE-2020-25253)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the the "TableName", "ColumnName", "Name", "UserId" and "Password" parameters. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
10) Cross-site request forgery (CVE-ID: CVE-2020-25252)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
11) XML External Entity injection (CVE-ID: CVE-2020-25257)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote authenticated attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
12) Deserialization of Untrusted Data (CVE-ID: CVE-2020-25259)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Insufficient Logging (CVE-ID: CVE-2020-25250)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected software relies on the client-side to log failures. A remote attacker can use clients such as the Unity Client, drop the "log" request that is sent to the server and write arbitrary data to the server logs.
14) Improper Authorization (CVE-ID: CVE-2020-25251)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to client-side authentication is used for critical functions. A remote attacker can bypass authorization checks and read or modify the server's configuration.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://seclists.org/fulldisclosure/2020/Sep/22
- https://seclists.org/fulldisclosure/2020/Sep/21
- https://seclists.org/fulldisclosure/2020/Sep/8
- https://seclists.org/fulldisclosure/2020/Sep/17
- https://seclists.org/fulldisclosure/2020/Sep/18
- https://seclists.org/fulldisclosure/2020/Sep/7
- https://seclists.org/fulldisclosure/2020/Sep/9
- https://seclists.org/fulldisclosure/2020/Sep/23
- https://seclists.org/fulldisclosure/2020/Sep/16