CVE-2023-26097

CVE-2023-26097

by mrahier96

Abstract Advisory Information

The application performs its check on the client side, no checks are performed of the server side to ensure that the actions are legitimate ones. Any alteration of the application code would modify the behavior of the application without the backend blocking these unintended actions.

Author: Alexis Pain

Version affected

Name: APSAL

Versions: 3.14.2022.235 b

Common Vulnerability Scoring System

7.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Patch

A better configuration of the access rights to the database can be implemented individually for each client. APSAL customers can contact the APSAL Helpdesk for assistance and guidance in setting up these configurations.

References

Vulnerability Disclosure Timeline

  • 01/12/2022: Vulnerability discovery
  • 09/01/2023: Vulnerability Report to CERT-XLM20/01/2023: Vulnerability Report to Vendor through email
  • 17/02/2023: Vendor contacted again for an update
  • 20/02/2023: CVE number assigned: CVE-2023-26097
  • 24/02/2023: CVE ID communicated to vendor and asked for an update regarding the patch.
  • 03/03/2023: Update asked to vendor
  • 23/03/2023: Update received from vendor
  • 24/04/2023: Expected Vulnerability disclosure
Top