Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request.
- Announcement (to Vendor): 2020-07-12
- Public disclosure date: 2020-08-31
Incorrect Access Control
ForLogic
- Qualiex - v1
- Qualiex - v3
- Other versions may be affected, especially in the same family (not tested yet)
Qualiex
Remote
True
True
Unauthenticated password changes publicly available without special requirements (only the correct request)
True
Mauricio Santos (R&D UnderProtection), Claudemir Nunes (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)
Forlogic - Vendor's Information Security Team who collaborated to a coordinated disclosure