Abstract Advisory Information


A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version

2019.2.0.6 allowing an attacker to change the privileges of any user of the application. This can be used

to grant himself administrative role or remove administrative account of the application.

Author: Yoann Chevalier

Version affected


Name: Star Practice Management Web

Version: 2019.2.0.6

Common Vulnerability Scoring System


8.0

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References


Vulnerability Disclosure Timeline


  • 01/10/2020: Vulnerability discovery
  • 16/10/2020: Vulnerability Report to CERT-XLM
  • 20/10/2020: Vulnerability Report to STAR
  • 02/10/2020: STAR acknowledgment
  • 10/11/2020: Request CVE IDs to Mitre
  • 10/11/2020: CVE ID Assigned by MITRE
  • 20/01/2021: Expected Vulnerability disclosure