Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Unauthenticated file access in DVS Avilys

CVE ID: CVE-2022-27192

CVSS Score: 8.9, (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/CR:L/IR:H/AR:L)

Affected Vendors: Asseco Lietuva

Affected Products: DVS Avilys

Vulnerability Details:

The Reporting module in Asseco Lietuva document management system DVS Avilys before version 3.5.58 allows unauthenticated file download of any file in the server. Application log files include session tokens which allows an attacker to impersonate the administrator of the application and futher circumvent the system.

Vendor Response:

Asseco Lietuva has issued an update to correct this vulnerability. Asseco Lietuva shall be contacted for update.

Proof of concept:

Not provided

Disclosure Timeline:

  • 2021-11-25 - Vulnerability discovered and reported
  • 2021-11-25 - NKSC-LT initiated vulnerability coordination
  • 2022-03-10 – NKSC-LT reported vulerability fixed
  • 2022-03-15 - CVE assigned
  • 2022-03-23 - Public release

Credit:

This vulnerability was discovered by Jokūbas Arsoba of Transcendent Group