CVE Report August 2021

In August, two old reserved CVE numbers where allowed to be published by the manifacturer.

WebSec filed for a CVE update request at MITRE as more details is now allowed to be published.

Software - iPortalis

CVE-2020-9002 - Improper Input Validation

It was possible to change the user role from COMPANY_USER to DOMAIN_ADMIN which is a role which is not listed by default for lower privileged users, this resulted in privilege escalation.

CVE-2020-9000 - Uncontrolled Resource Consumption

It was possible to generate stack trace erros which increased the log size
on the server, the log file gets deleted after every 24 hours however this is sufficient time for an attacker to exhaust the server's memory using automated tools.