|
|
| |
| Acusend is a leading report portal product from Acuma. Acusend allows organizations to collect and collate information from a diverse range of sources and present it via a uniform web interface. Acusend is widely deployed in Government, Education and Aerospace industries. A security vulnerability in the product allows users to access reports they would otherwise not have access to (due to security restrictions). |
| |
Credit:
The information has been provided by David Wray of Sec-Tec.
|
| |
Vulnerable systems:
* Acusend version 4
During a penetration test of a client's network, Sec-Tec has discovered that it is possible for an authenticated user to access reports belonging to other users if the full URL to the report is known. Although the full URLs may appear to be random, certain factors such as time and date are sometimes used as part of the URL structure, thereby greatly reducing entropy. Release of this information has been withheld awaiting a corrected version from Acuma.
Recommended Action:
The vendor states that the issue is rectified in the latest version.
|
|
|
