Version v7.8.3 - Additional Details

Table of contents
  1. 1. Security

Security

The following items have been addressed:

 


 

  • 1 - Summary:
    • Additional information could be made accessible by leveraging existing authorized access information
  • Requirement:
    • An authorized user would have to be already logged in with the correct username and password
    • An authorized user would have to already be given access to associated items securely stored in the system
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server, as well as have been granted access to secured information
    • The access entries would display as usual in Password Server's auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: All

 


 

  • 2 - Summary:
    • Information could be modified by leveraging existing authorized access
    • Improvements have been made to further safeguard Password Server's secure information
  • Requirement:
    • An unauthorized user would have to be already logged in with the correct username and password
    • An unauthorized user would have to take advantage of detailed internal system information
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server.
    • The changes would display as usual in Password Server's auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: 7+

 


 

  • 3 - Summary:
    • In a local security context, insufficient output controls could allow an authenticated user opportunity to exploit handling system information, by entering values into the system
  • Requirement:
    • An unauthorized user (attacker) would have to be already logged in with the correct username and password, to enter values
    • Then another authorized user would have to navigate to the same locations in the Password Server Web Client.
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server.
    • The entries along with any further activities would display as usual in Password Server's auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: 7+

 


 

  • 4 - Summary:
    • In a local security context, the automatic auto-fill of password credentials by browser or browser plugin, could potentially be leveraged by a third-party script running on the same local website domain.
    • Additional information could be made accessible by accessing information from one domain and injecting it into another
  • Requirement:
    • An authorized user would have to have already obtained the correct username and password
    • Another third party script would have authorized to run on the same local domain website
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server.
    • The entries by the third party would appear to as the original user in the auditing and history features.
  • Status:
    • This is an issue best addressed by organizational awareness and user behaviour
    • The vulnerability has been addressed in part by this release, but browsers and plugins and third-party scripts continue to find new innovative work-arounds.
    • Recommendation (optional): to further mitigate this concern Disable Automatic Auto-Fill in your browser(s)
  • Versions Affected: All

 


 

  • 5 - Summary:
    • A knowledgeable person with access to a previously accessed and unsecured Password Server machine could leverage information to gain entry into the application.
  • Requirement:
    • An authorized user would have to have already obtained the correct username and password
    • An unauthorized user would have to have access to the machine and detailed system knowledge to leverage application entry information
  • Scope of Impact:
    • An individual would have to already have gained access to a machine having authorized account access on the Password Server.
    • The entry by the individual would appear to as the original user in the auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: All

 


 

Acknowledgements:

  • Pleasant Solutions would like to thank Profundis Labs for their security audit and for their participation and cooperation with us, in protecting our customers.
Tag page
You must login to post a comment.