Skip to content

Latest commit

 

History

History
42 lines (31 loc) · 1.92 KB

README.md

File metadata and controls

42 lines (31 loc) · 1.92 KB

Broken Access Control

Description

A broken access control vulnerability in all Maarch RM versions allows anyone with access to the URLs ({url}/tmp/{MD5 hash of the document}) to retrieve documents of certain types depending on the configuration of the preview function (pdf, email, etc. depending on the configuration of the preview function)) present in the archives, in an unauthenticated way.

Information

  • CVE ID: CVE-2022-37774
  • Vulnerability Type: Broken Access Control
  • Vendor of Product: Maarch Xelians
  • Affected Product:
    • Maarch RM 2.8.X - all versions < 2.8.6
    • Maarch RM 2.9.X - all versions < 2.9.1
  • Affected Component: page: /tmp/{MD5 hash of the document}
  • Editor confirmed: Yes
  • Discoverer: François Mehault (francois.mehault -at- proton -dot- me)

References

Approximate Timeline

  • 2022/07/20: Vulnerabilities discovered
  • 2022/07/29: Vulnerabilities reported to the editor (Maarch Xelians)
  • 2022/08/31: Confirmation of vulnerability by the editor
  • 2022/10/18: Vendor issued an official fix (Maarch RM 2.8.6 and 2.9.1)

Technical details

Broken Access Control - Maarch RM All versions, {url}/tmp/{MD5 hash of the document}

  • Details : When accessing a document (pdf, email, etc.) from an archive, a preview is proposed by the application, depending on the configuration of the preview function. This preview generates a URL including an md5 hash of the file accessed. This URL is then accessible without authentication.
  • Privileges: No privilege required, the attacker just needs to know the URL (browser history, logs access).
  • Location example: http[s]://{url}/tmp/{MD5 hash of the document}