Abstract Advisory Information
Security issue affecting the product AXIOM from the company AXIOMSL (http://axiomsl.com). The web application (Java applet module used to edit uploaded Excel files and associated Java RMI services) contains several authorization issues allowing a basic user to:
- Access data of others basic users through arbitrary SQL command,
- Perform a horizontal and vertical privilege escalation,
- Cause a Deny of Service on global application,
- Write/read/delete arbitrary files on server hosting the application.
Vendor is informed about this vulnerability and the CVE ID is referenced into the release note of the product for the version vulnerable.
Authors: Dominique Righetto
9.5.3 for sure and potentially version superior.
Common Vulnerability Scoring System
The issue will not be fixed, it’s recommended to client to not use this module and, if installation can’t be avoided, disable any access to it.
Vulnerability Disclosure Timeline
- 2015-07-01: Security note sent to AXIOMSL contact about the vulnerability.
- 2015-07-03: Acknowledge from AXIOMSL about reception of our note.
- 2015-07-06: Ask for CVE ID to MITRE.
- 2015-07-10: Received CVE ID from MITRE.
- 2015-07-24: Received information from AXIOMSL about non fixing.
- 2015-07-25: Creation of this advisory note.
- 2015-07-30: Ask to MITRE to publish CVE.