The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users access to arbitrary details of the Local and LDAP users via POST method and to arbitrary details of other user's Fortify projects via GET method.
Exploit-DB publication at https://www.exploit-db.com/exploits/45990
PacketStorm publication at https://packetstormsecurity.com/files/150771/Fortify-SSC-17.10-17.20-18.10-User-Detail-Insecure-Direct-Object-Reference.html
================
2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found
2018-05-31: Vendor feedback received
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
2018-08-02: Reminder to vendor, feedback received OK!
2018-09-26: Reminder to vendor, feedback received OK!
2018-09-26: Fixes received from the vendor
2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Feedback from the vendor, technical details provided to the researcher
2018-10-16: Fixes now tested on QA environment
2018-11-08: Reminder received from the vendor, feedback provided by researcher
2018-11-09: Re-rest fixes on QA environment
2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
2018-11-21: Researcher feedback
2018-11-23: Fixes working well/confirmed by researcher
2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
2018-12-12: Public report
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03298201
Alex Hernandez aka (@_alt3kx_)
My current exploit list @exploit-db:
https://www.exploit-db.com/author/?a=1074
https://www.exploit-db.com/author/?a=9576
CVE-2018-7691 with sexy screens here: https://medium.com/@alt3kx