CVE-2020-24029
[Description]
Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request.
[Important Dates]
- Announcement (to Vendor): 2020-07-12
- Public disclosure date: 2020-08-31
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
ForLogic
[Affected Product Code Base]
- Qualiex - v1
- Qualiex - v3
- Other versions may be affected, especially in the same family (not tested yet)
[Affected Component]
Qualiex
[Attack Type]
Remote
[Impact Escalation of Privileges]
True
[Impact Information Disclosure]
True
[Attack Vectors]
Unauthenticated password changes publicly available without special requirements (only the correct request)
[Has vendor confirmed or acknowledged the vulnerability?]
True
[Discoverer]
Mauricio Santos (R&D UnderProtection), Claudemir Nunes (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)
[Thanks to]
Forlogic - Vendor's Information Security Team who collaborated to a coordinated disclosure