[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)
- To: Harry Sintonen via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)
- From: "Rahim, Mohaiman via Fulldisclosure" <fulldisclosure@xxxxxxxxxxxx>
- Date: Tue, 23 Jan 2024 15:57:04 +0000
Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183,
CVE-2023-44031)
Credit: Mohaiman Rahim
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
# Product: RLM 15.1
# Vendor: Reprise Software
# CVE ID: CVE-2023-43183
# Vulnerability Title: Incorrect Access Control (leading to PrivEsc)
# Severity: High
# Author(s): Mohaiman Rahim
# Date: 2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control
vulnerability which allows low level users, such as read-only users, to
arbitrarily change the password of an admin and hijack their account.
Vulnerability PoC:
This vulnerability can be demonstrated by modifying the "user" POST parameter
at http://HOST:5054/change_password_process with the username of a target user
(such as an Admin account).
When executed this will result in the password of the targeted user being
changed and the account therefore being compromised.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
# Product: RLM 15.1
# Vendor: Reprise Software
# CVE ID: CVE-2023-44031
# Vulnerability Title: Incorrect Access Control (leading to arbitrary file
write)
# Severity: High
# Author(s): Mohaiman Rahim
# Date: 2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control
vulnerability which allows a user to perform privileged web application
functions, such as a function that generates system information.
This vulnerability can be exploited to be able to change the path of where the
diagnostics file should be saved via a crafted HTTP POST request.
This can allow an attacker to save the diagnostics file, containing system
information, in insecure locations.
Vulnerability PoC:
This vulnerability can be demonstrated by modifying the "outputfile" POST
parameter at http://HOST:5054/diagnostics_doit to an insecure path accessible
by local users such as "C:\temp".
Deloitte Disclaimer: Deloitte refers to a Deloitte member firm, one of its
related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte
member firm is a separate legal entity and a member of DTTL. DTTL does not
provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte Statsautoriseret Revisionspartnerselskab, CVR-nr. 33 96 35 56 This
message (including any attachments) contains confidential information intended
for a specific individual and purpose, and is protected by law. If you are not
the intended recipient, you should delete this message and are hereby notified
that any disclosure, copying, or distribution of this message, or the taking of
any action based on it, is strictly prohibited.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/