Abstract Advisory Information

Security issue affecting the product Vaultize.
There is improper authorization when listing the history of another user via the URL

Version affected

Vaultize Enterprise File Sharing
Versions 17.05.31

Common Vulnerability Scoring System

3.7
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Patches

Unknown

Vulnerability Disclosure Timeline

• 24/10/17 Vaultize notification of issues
• 27/10/17 Notification of Vaultize, issues acknowledgment
• 08/11/17 Vaultize Notification for 9 issues
• 09/11/17 Received Fix for:
  – Anonymous reflected XSS on error page
  – Stored XSS on file request.
  – Improper authorization leading to a creation of folders of another account
  – Missing data input validation
• 23/11/17 Received Fix for:
  – Improper authorization when listing the history of another user
• 07/12/17 Request for remaining fixes, no answer to Csirt
• 02/01/18 Vulnerable Clients & Csirt notification
• 18/04/18 Mitre notification