Abstract Advisory Information


Security issue affecting the product Vaultize.

There is improper authorization leading to creation of folders within another account via a modified device value.

Authors: Julien EHRHART and Anthony MAIA

Version affected


Vaultize Enterprise File Sharing

Versions 17.05.31

Common Vulnerability Scoring System


5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Patches


Unknown

Vulnerability Disclosure Timeline


  • 24/10/17 Vaultize notification of issues
  • 27/10/17 Notification of Vaultize, issues acknowledgment
  • 08/11/17 Vaultize Notification for 9 issues
  • 09/11/17 Received Fix for:

    – Anonymous reflected XSS on error page

    – Stored XSS on file request.

    – Improper authorization leading to a creation of folders of another account

    – Missing data input validation
  • 23/11/17 Received Fix for:

    – Improper authorization when listing the history of another user
  • 07/12/17 Request for remaining fixes, no answer to Csirt
  • 02/01/18 Vulnerable Clients & Csirt notification
  • 18/04/18 Mitre notification