Abstract Advisory Information
Security issue affecting the product Vaultize.
There is anonymous reflected XSS on the error page via a /share/error?message= URI.
Authors: Julien EHRHART and Anthony MAIA
Vaultize Enterprise File Sharing
Common Vulnerability Scoring System
Vulnerability Disclosure Timeline
- 24/10/17 Vaultize notification of issues
- 27/10/17 Notification of Vaultize, issues acknowledgment
- 08/11/17 Vaultize Notification for 9 issues
- 09/11/17 Received Fix for:
– Anonymous reflected XSS on error page
– Stored XSS on file request.
– Improper authorization leading to a creation of folders of another account
– Missing data input validation
- 23/11/17 Received Fix for:
– Improper authorization when listing the history of another user
- 07/12/17 Request for remaining fixes, no answer to Csirt
- 02/01/18 Vulnerable Clients & Csirt notification
- 18/04/18 Mitre notification