usd-2022-0061 | Broken Access Control in CPTO 6.3.8.6
Advisory ID: usd-2022-0061
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE 284 - Improper Access Control
Security Risk: Medium
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31293
CVE Link: Pending
Description
A reader user could access the journal even though this feature had been disabled for the reader system user profile.
Fix
Users should update CPTO to its current version.
Generally, it is important to think through an application’s access control requirements. It is recommended to use an access control matrix in order to define agreed-upon access control rules. It should be documented which types of users can access the system and what these users are allowed to access within it.
References
https://owasp.org/www-community/Broken_Access_Control
Timeline
- 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
- 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
- 2023-04-27: CVE IDs are requested and subsequently reserved.
- 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
- 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
- 2022-12-21: Advisory published by usd AG.
Credits
This security vulnerability was found by Marcus Nilsson of usd AG.