[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)
From: "Rahim, Mohaiman via Fulldisclosure" <fulldisclosure () seclists ! org>
Date: 2024-01-23 15:57:04
Message-ID: PR3PR85MB02697849E650123ACF908BC1A8742 () PR3PR85MB0269 ! NAMPRD85 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)
Credit: Mohaiman Rahim
//////////////////////////////////////////////////////////////////////////////////////////////// \
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
# Product: RLM 15.1
# Vendor: Reprise Software
# CVE ID: CVE-2023-43183
# Vulnerability Title: Incorrect Access Control (leading to PrivEsc)
# Severity: High
# Author(s): Mohaiman Rahim
# Date: 2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which \
allows low level users, such as read-only users, to arbitrarily change the password of an admin \
and hijack their account.
Vulnerability PoC:
This vulnerability can be demonstrated by modifying the "user" POST parameter at \
http://HOST:5054/change_password_process with the username of a target user (such as an Admin \
account). When executed this will result in the password of the targeted user being changed and \
the account therefore being compromised.
//////////////////////////////////////////////////////////////////////////////////////////////// \
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
# Product: RLM 15.1
# Vendor: Reprise Software
# CVE ID: CVE-2023-44031
# Vulnerability Title: Incorrect Access Control (leading to arbitrary file write)
# Severity: High
# Author(s): Mohaiman Rahim
# Date: 2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which \
allows a user to perform privileged web application functions, such as a function that \
generates system information. This vulnerability can be exploited to be able to change the path \
of where the diagnostics file should be saved via a crafted HTTP POST request. This can allow \
an attacker to save the diagnostics file, containing system information, in insecure locations.
Vulnerability PoC:
This vulnerability can be demonstrated by modifying the "outputfile" POST parameter at \
http://HOST:5054/diagnostics_doit to an insecure path accessible by local users such as \
"C:\temp".
Deloitte Disclaimer: Deloitte refers to a Deloitte member firm, one of its related entities, or \
Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity \
and a member of DTTL. DTTL does not provide services to clients. Please see \
www.deloitte.com/about to learn more. Deloitte Statsautoriseret Revisionspartnerselskab, \
CVR-nr. 33 96 35 56 This message (including any attachments) contains confidential information \
intended for a specific individual and purpose, and is protected by law. If you are not the \
intended recipient, you should delete this message and are hereby notified that any disclosure, \
copying, or distribution of this message, or the taking of any action based on it, is strictly \
prohibited. _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic