Sitemap

Version v7.8.3 - Additional Details

Security

The following items have been addressed:

 


 

  • 1 - Summary:
    • Additional information could be made accessible by leveraging existing authorized access information
  • Requirement:
    • An authorized user would have to be already logged in with the correct username and password
    • An authorized user would have to already be given access to associated items securely stored in the system
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server, as well as have been granted access to secured information
    • The access entries would display as usual in Password Server's auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: All

 


 

  • 2 - Summary:
    • Information could be modified by leveraging existing authorized access
    • Improvements have been made to further safeguard Password Server's secure information
  • Requirement:
    • An unauthorized user would have to be already logged in with the correct username and password
    • An unauthorized user would have to take advantage of detailed internal system information
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server.
    • The changes would display as usual in Password Server's auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: 7+

 


 

  • 3 - Summary:
    • In a local security context, insufficient output controls could allow an authenticated user opportunity to exploit handling system information, by entering values into the system
  • Requirement:
    • An unauthorized user (attacker) would have to be already logged in with the correct username and password, to enter values
    • Then another authorized user would have to navigate to the same locations in the Password Server Web Client.
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server.
    • The entries along with any further activities would display as usual in Password Server's auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: 7+

 


 

  • 4 - Summary:
    • In a local security context, the automatic auto-fill of password credentials by browser or browser plugin, could potentially be leveraged by a third-party script running on the same local website domain.
    • Additional information could be made accessible by accessing information from one domain and injecting it into another
  • Requirement:
    • An authorized user would have to have already obtained the correct username and password
    • Another third party script would have authorized to run on the same local domain website
  • Scope of Impact:
    • User would have to already have gained access to an authorized account on the Password Server.
    • The entries by the third party would appear to as the original user in the auditing and history features.
  • Status:
    • This is an issue best addressed by organizational awareness and user behaviour
    • The vulnerability has been addressed in part by this release, but browsers and plugins and third-party scripts continue to find new innovative work-arounds.
    • Recommendation (optional): to further mitigate this concern Disable Automatic Auto-Fill in your browser(s)
  • Versions Affected: All

 


 

  • 5 - Summary:
    • A knowledgeable person with access to a previously accessed and unsecured Password Server machine could leverage information to gain entry into the application.
  • Requirement:
    • An authorized user would have to have already obtained the correct username and password
    • An unauthorized user would have to have access to the machine and detailed system knowledge to leverage application entry information
  • Scope of Impact:
    • An individual would have to already have gained access to a machine having authorized account access on the Password Server.
    • The entry by the individual would appear to as the original user in the auditing and history features.
  • Status:
    • This vulnerability has been fixed in this release.
  • Versions Affected: All

 


 

Acknowledgements:

  • Pleasant Solutions would like to thank Profundis Labs for their security audit and for their participation and cooperation with us, in protecting our customers.