usd-2018-0015 | Lexware Professional 2017/17.02
Advisory ID: usd-2018-0015
CVE Number: N/A
Affected Product: Lexware Professional 2017
Affected Version: 17.02
Vulnerability Type: Improper/Missing Access Control
Security Risk: Critical
Vendor URL: https://shop.lexware.de/reisekosten-abrechnung
Vendor Status: Fixed
Description
The vulnerability considered here, is the lack of access control on individual users access rights within the database. Once the database is made accessible with the user credentials, irrespective of the privilege level of the user, it is possible to alter data, which should have been otherwise forbidden or hindered. The vulnerability, by design, has serious implications since this allows any user with access to database to alter crucial contents, for example, properties of other users such as name and the group id. This has a broad spectrum of potential impacts, ranging from changing a user’s description to changing the group id and properties. This indicates an easily available method to grant higher privileges to self or alternatively to lower the privileges of an admin level user.
Fix
https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html
Credits
This security vulnerabilities were found by Sebastian Puttkammer of usd AG.