usd-2022-0061 | Broken Access Control in CPTO 6.3.8.6

Advisory ID: usd-2022-0061
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE 284 - Improper Access Control
Security Risk: Medium
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31293
CVE Link: Pending

Description

A reader user could access the journal even though this feature had been disabled for the reader system user profile.

Fix

Users should update CPTO to its current version.

Generally, it is important to think through an application’s access control requirements. It is recommended to use an access control matrix in order to define agreed-upon access control rules. It should be documented which types of users can access the system and what these users are allowed to access within it.

References

https://owasp.org/www-community/Broken_Access_Control

Timeline

2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
2023-04-27: CVE IDs are requested and subsequently reserved.
2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
2022-12-21: Advisory published by usd AG.

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.

usd-2022-0061 | Broken Access Control in CPTO 6.3.8.6

Description

Fix

References

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

Contact

Follow Us

LabNews

Security Advisories for SONIX and SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories for Zimperium and FileCloud