CVE-2020-24029

---

[Description]

Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request.

---

[Important Dates]

• Announcement (to Vendor): 2020-07-12
• Public disclosure date: 2020-08-31

---

[Vulnerability Type]

Incorrect Access Control

---

[Vendor of Product]

ForLogic

---

[Affected Product Code Base]

• Qualiex - v1
• Qualiex - v3
• Other versions may be affected, especially in the same family (not tested yet)

---

[Affected Component]

Qualiex

---

[Attack Type]

Remote

---

[Impact Escalation of Privileges]

True

---

[Impact Information Disclosure]

True

---

[Attack Vectors]

Unauthenticated password changes publicly available without special requirements (only the correct request)

---

[Has vendor confirmed or acknowledged the vulnerability?]

True

---

[Discoverer]

Mauricio Santos (R&D UnderProtection), Claudemir Nunes (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)

---

[Thanks to]

Forlogic - Vendor's Information Security Team who collaborated to a coordinated disclosure

---

[Reference]

• https://www.underprotection.com.br
• https://forlogic.net
• https://qualiex.com
• https://github.com/underprotection/CVE-2020-24029