CVE-2021-38618

CVE-2021-38618

by Excellium SA

Abstract Advisory Information

The login page of the application is prone to authentication bypass allowing anyone knowing a user credentials except its password to get access to its account.

Authors: Alexis Pain

Version affected

Name: GFOS Workforce Management

Versions: 4.8.272.1

Common Vulnerability Scoring System

7.4

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Patches

Unknown

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38618

Vulnerability Disclosure Timeline

  • 08/06/2021: Vulnerability discovery,
  • 24/06/2021: Vulnerability Report to CERT-XLM,
  • 29/06/2021: Vulnerability Report to GFOS,
  • 29/06/2021: Call to get email contact. Awaiting for them to reach us back,
  • 15/07/2021: Called contact number and being redirected to contact email address, sent another mail,
  • 06/08/2021: Contacted email address and told that we will publish the September 27th(last attempt to get in touch),
  • 13/08/2021: Request CVE IDs to Mitre,
  • 03/09/2021: Contacted vendor through form in is website + email to contact address
  • 24/09/2021 : Contacted vendor through email to contact address
  • 04/10/2021: Vulnerability Disclosure
Top