CVE-2021-43978

CVE-2021-43978

by mathildeexlm

Abstract Advisory Information

An access to the database is needed. The application embeds database credentials of a software administrator user into its binary files. This allows users to access a large amount of data to perform read, update, and delete operations. This implies that all instances of the software use the same credentials.

Author: Dominique Righetto

 

Version affected

Name: Popsy Windows (older name) / Allegro Windows
Versions: 3.2.4008.2 / 3.3.4152.0 and under

 

Common Vulnerability Scoring System

7.1
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

 

Patches

Allegro Windows version 3.3.4156.1

 

References

 

Vulnerability Disclosure Timeline

  • 19/08/2021: Vulnerability discovery
  • 19/08/2021: Vulnerability Report to CERT-XLM
  • 20/08/2021: Vulnerability Report to Vendor
  • 20/08/2021: Call to get other contact + New report to vendor via new email address
  • 20/08/2021: 2nd Call leads to another email address + email report
  • 27/08/2021: email report to vendor
  • 03/09/2021: email report to vendor
  • 17/09/2021: Call to refresh the vendor
  • 24/09/2021: Contacted again the vendor
  • 28/09/2021: Vendor acknowledgement and patch version communication
  • 18/11/2021: Request CVE ID to Mitre (CVE-2021-43978)
  • 29/11/2021: Expected Vulnerability disclosure

Find more vulnerabilities in our Security Advisory section.

Top