CVE-2020-24029

[Description]

Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request.

[Important Dates]

Announcement (to Vendor): 2020-07-12
Public disclosure date: 2020-08-31

[Vulnerability Type]

Incorrect Access Control

[Vendor of Product]

ForLogic

[Affected Product Code Base]

Qualiex - v1
Qualiex - v3
Other versions may be affected, especially in the same family (not tested yet)

[Affected Component]

Qualiex

[Attack Type]

Remote

[Impact Escalation of Privileges]

True

[Impact Information Disclosure]

True

[Attack Vectors]

Unauthenticated password changes publicly available without special requirements (only the correct request)

[Has vendor confirmed or acknowledged the vulnerability?]

True

[Discoverer]

Mauricio Santos (R&D UnderProtection), Claudemir Nunes (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)

[Thanks to]

Forlogic - Vendor's Information Security Team who collaborated to a coordinated disclosure

redteambrasil/CVE-2020-24029

CVE-2020-24029

[Description]

[Important Dates]

[Vulnerability Type]

[Vendor of Product]

[Affected Product Code Base]

[Affected Component]

[Attack Type]

[Impact Escalation of Privileges]

[Impact Information Disclosure]

[Attack Vectors]

[Has vendor confirmed or acknowledged the vulnerability?]

[Discoverer]

[Thanks to]

[Reference]