Abstract Advisory Information
An access to the database is needed. The application embeds database credentials of a software administrator user into its binary files. This allows users to access a large amount of data to perform read, update, and delete operations. This implies that all instances of the software use the same credentials.
Author: Dominique Righetto
Version affected
Name: Popsy Windows (older name) / Allegro Windows
Versions: 3.2.4008.2 / 3.3.4152.0 and underCommon Vulnerability Scoring System
7.1
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NPatches
Allegro Windows version 3.3.4156.1
References
- https://www.allegro.be/fr/windows
- PATCH : https://www.allegro.be/fr/windows/support
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43978
Vulnerability Disclosure Timeline
- 19/08/2021: Vulnerability discovery
- 19/08/2021: Vulnerability Report to CERT-XLM
- 20/08/2021: Vulnerability Report to Vendor
- 20/08/2021: Call to get other contact + New report to vendor via new email address
- 20/08/2021: 2nd Call leads to another email address + email report
- 27/08/2021: email report to vendor
- 03/09/2021: email report to vendor
- 17/09/2021: Call to refresh the vendor
- 24/09/2021: Contacted again the vendor
- 28/09/2021: Vendor acknowledgement and patch version communication
- 18/11/2021: Request CVE ID to Mitre (CVE-2021-43978)
- 29/11/2021: Expected Vulnerability disclosure