Unauthenticated file access in DVS Avilys
CVE ID: CVE-2022-27192
CVSS Score: 8.9, (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/CR:L/IR:H/AR:L)
Affected Vendors: Asseco Lietuva
Affected Products: DVS Avilys
Vulnerability Details:
The Reporting module in Asseco Lietuva document management system DVS Avilys before version 3.5.58 allows unauthenticated file download of any file in the server. Application log files include session tokens which allows an attacker to impersonate the administrator of the application and futher circumvent the system.
Vendor Response:
Asseco Lietuva has issued an update to correct this vulnerability. Asseco Lietuva shall be contacted for update.
Proof of concept:
Not provided
Disclosure Timeline:
- 2021-11-25 - Vulnerability discovered and reported
- 2021-11-25 - NKSC-LT initiated vulnerability coordination
- 2022-03-10 – NKSC-LT reported vulerability fixed
- 2022-03-15 - CVE assigned
- 2022-03-23 - Public release
Credit:
This vulnerability was discovered by Jokūbas Arsoba of Transcendent Group