CVE-2021-41320

Abstract Advisory Information

The application uses, behind the scene and once the user is authenticated, a technical user to perform operations against the database. This technical user has access to more information than the authenticated user. It is possible to retrieve the credentials of this user to access to all the information of the system.

Author: Dominique Righetto

Version affected

Name: Wallstreet Suite

Version: 7.4.83 (64-bit edition)

Common Vulnerability Scoring System

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Patches

Unknown

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41320

Vulnerability Disclosure Timeline

• 21/05/2021: Vulnerability discovery
• 26/05/2021: Vulnerability Report to CERT-XLM
• 07/06/2021: Vulnerability Report to Vendor
• 15/06/2021: Call to get other contact + New report to the vendor via the new email address
• 29/06/2021: Send again email to get acknowledgment
• 15/07/2021: Called again and redirected to wallstreet e-mail
• 15/07/2021: Wallstreet Systems acknowledgment asked for bug bounty platform account
• 23/07/2021: Call to refresh enquiry for access. It is not possible to redirect to Customer
• 06/08/2021: Call to refresh enquiry for access on the Customer email and platform IIMS
• 13/08/2021: Website form enquiry + mail to access on the customer platform IIMS
• 03/09/2021: mail to access on the customer platform IIMS
• 17/09/2021: Request CVE IDs to Mitre
• 13/10/2021: Expected Vulnerability disclosure