CVE-2023-50872

Abstract Advisory Information

The application is prone to Insecure Direct Object Reference which would disclose partial information about certificates and their respective holder.

Author: Julien BLOMMAERT

Version affected

Name: Credential.net

Versions: N/A

Common Vulnerability Scoring System

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Patches

No patch available

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50872

Vulnerability Disclosure Timeline

• 23/10/2023: Vulnerability discovery
• 27/10/2023: Vulnerability Report to CERT-XLM
• 31/10/2023: Vulnerability Report to Vendor through email
• 07/11/2023: Called vendor, redirected us to an email address (support@accredible.com)
• 14/11/2023: Updated asked to vendor through email and Form on their website.
• 21/11/2023: Update asked once again to the vendor via email
• 28/11/2023: Updated Vendors, to publish the 04/03/2024 if they don’t answer
• 29/11/2023 -> 01/12/2023 : Discussion with the vendor to explain the PII
• 01/12/2023 : Vendor says that it’s not a security issue
• 12/12/2023 : Updated Vendors, to publish the 04/03/2024 if they don’t answer about a patch
• 14/12/2023: Request CVE ID to Mitre
• 15/12/2023: CVE IDs assigned : Use CVE-2023-50872.
• 04/03/2024: Expected Vulnerability disclosure