CVE-2020-24028
[Description]
ForLogic Qualiex v1 and v3 allows any authenticated customer to achieve privilege escalation via user creations, password changes, or user permission updates.
[Important Dates]
- Announcement (to Vendor): 2020-07-12
- Public disclosure date: 2020-08-31
[Vulnerability Type]
Insecure Permissions
[Vendor of Product]
ForLogic
[Affected Product Code Base]
- Qualiex - v1
- Qualiex - v3
- Other versions may be affected, especially in the same family (not tested yet)
[Affected Component]
Qualiex
[Attack Type]
Remote
[Impact Escalation of Privileges]
True
[Impact Information Disclosure]
True
[Attack Vectors]
Authenticated permission bypass permits password changes, user creation and privilege escalation on user's information update
[Has vendor confirmed or acknowledged the vulnerability?]
True
[Discoverer]
Mauricio Santos (R&D UnderProtection), Claudemir Nunes (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)
[Thanks to]
Forlogic - Vendor's Information Security Team who collaborated to a coordinated disclosure