Abstract Advisory Information
The application performs its check on the client side, no checks are performed of the server side to ensure that the actions are legitimate ones. Any alteration of the application code would modify the behavior of the application without the backend blocking these unintended actions.
Author: Alexis Pain
Version affected
Name: APSAL
Versions: 3.14.2022.235 b
Common Vulnerability Scoring System
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Patch
A better configuration of the access rights to the database can be implemented individually for each client. APSAL customers can contact the APSAL Helpdesk for assistance and guidance in setting up these configurations.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26097
- https://www.telindus.lu/fr/produits/apsal
Vulnerability Disclosure Timeline
- 01/12/2022: Vulnerability discovery
- 09/01/2023: Vulnerability Report to CERT-XLM20/01/2023: Vulnerability Report to Vendor through email
- 17/02/2023: Vendor contacted again for an update
- 20/02/2023: CVE number assigned: CVE-2023-26097
- 24/02/2023: CVE ID communicated to vendor and asked for an update regarding the patch.
- 03/03/2023: Update asked to vendor
- 23/03/2023: Update received from vendor
- 24/04/2023: Expected Vulnerability disclosure