by Excellium SA

Abstract Advisory Information

An access to the database is needed. The application embeds database credentials of a software administrator user into its binary files. This allows users to access a large amount of data to perform read, update, and delete operations. This implies that all instances of the software use the same credentials.

Author: Dominique Righetto


Version affected

Name: Popsy Windows (older name) / Allegro Windows
Versions: 3.2.4008.2 / 3.3.4152.0 and under


Common Vulnerability Scoring System




Allegro Windows version 3.3.4156.1




Vulnerability Disclosure Timeline

  • 19/08/2021: Vulnerability discovery
  • 19/08/2021: Vulnerability Report to CERT-XLM
  • 20/08/2021: Vulnerability Report to Vendor
  • 20/08/2021: Call to get other contact + New report to vendor via new email address
  • 20/08/2021: 2nd Call leads to another email address + email report
  • 27/08/2021: email report to vendor
  • 03/09/2021: email report to vendor
  • 17/09/2021: Call to refresh the vendor
  • 24/09/2021: Contacted again the vendor
  • 28/09/2021: Vendor acknowledgement and patch version communication
  • 18/11/2021: Request CVE ID to Mitre (CVE-2021-43978)
  • 29/11/2021: Expected Vulnerability disclosure

Find more vulnerabilities in our Security Advisory section.