Abstract Advisory Information
The login page of the application is prone to authentication bypass allowing anyone knowing a user credentials except its password to get access to its account.
Authors: Alexis Pain
Version affected
Name: GFOS Workforce Management
Versions: 4.8.272.1
Common Vulnerability Scoring System
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Patches
Unknown
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38618
Vulnerability Disclosure Timeline
- 08/06/2021: Vulnerability discovery,
- 24/06/2021: Vulnerability Report to CERT-XLM,
- 29/06/2021: Vulnerability Report to GFOS,
- 29/06/2021: Call to get email contact. Awaiting for them to reach us back,
- 15/07/2021: Called contact number and being redirected to contact email address, sent another mail,
- 06/08/2021: Contacted email address and told that we will publish the September 27th(last attempt to get in touch),
- 13/08/2021: Request CVE IDs to Mitre,
- 03/09/2021: Contacted vendor through form in is website + email to contact address
- 24/09/2021 : Contacted vendor through email to contact address
- 04/10/2021: Vulnerability Disclosure