usd-2018-0015 | Lexware Professional 2017/17.02

Advisory ID: usd-2018-0015
CVE Number: N/A
Affected Product: Lexware Professional 2017
Affected Version: 17.02
Vulnerability Type: Improper/Missing Access Control
Security Risk: Critical
Vendor URL: https://shop.lexware.de/reisekosten-abrechnung
Vendor Status: Fixed

Description

The vulnerability considered here, is the lack of access control on individual users access rights within the database. Once the database is made accessible with the user credentials, irrespective of the privilege level of the user, it is possible to alter data, which should have been otherwise forbidden or hindered. The vulnerability, by design, has serious implications since this allows any user with access to database to alter crucial contents, for example, properties of other users such as name and the group id. This has a broad spectrum of potential impacts, ranging from changing a user’s description to changing the group id and properties. This indicates an easily available method to grant higher privileges to self or alternatively to lower the privileges of an admin level user.

Fix

https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html

Credits

This security vulnerabilities were found by Sebastian Puttkammer of usd AG.

usd-2018-0015 | Lexware Professional 2017/17.02

Description

Fix

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

Contact

Follow Us

LabNews

Security Advisories for SONIX and SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories for Zimperium and FileCloud