CVE-2020-24028

[Description]

ForLogic Qualiex v1 and v3 allows any authenticated customer to achieve privilege escalation via user creations, password changes, or user permission updates.

[Important Dates]

Announcement (to Vendor): 2020-07-12
Public disclosure date: 2020-08-31

[Vulnerability Type]

Insecure Permissions

[Vendor of Product]

ForLogic

[Affected Product Code Base]

Qualiex - v1
Qualiex - v3
Other versions may be affected, especially in the same family (not tested yet)

[Affected Component]

Qualiex

[Attack Type]

Remote

[Impact Escalation of Privileges]

True

[Impact Information Disclosure]

True

[Attack Vectors]

Authenticated permission bypass permits password changes, user creation and privilege escalation on user's information update

[Has vendor confirmed or acknowledged the vulnerability?]

True

[Discoverer]

Mauricio Santos (R&D UnderProtection), Claudemir Nunes (R&D UnderProtection) and Hesron Hori (R&D UnderProtection) and @redteambrasil

[Thanks to]

Forlogic - Vendor's Information Security Team who collaborated to a coordinated disclosure

redteambrasil/CVE-2020-24028

CVE-2020-24028

[Description]

[Important Dates]

[Vulnerability Type]

[Vendor of Product]

[Affected Product Code Base]

[Affected Component]

[Attack Type]

[Impact Escalation of Privileges]

[Impact Information Disclosure]

[Attack Vectors]

[Has vendor confirmed or acknowledged the vulnerability?]

[Discoverer]

[Thanks to]

[Reference]