Executive Summary

Summary
Title Aptexx Resident Anywhere exposes sensitive account information
Informations
Name VU#595884 First vendor Publication 2015-06-08
Vendor VU-CERT Last vendor Modification 2015-06-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#595884

Aptexx Resident Anywhere exposes sensitive account information

Original Release date: 08 Jun 2015 | Last revised: 08 Jun 2015

Overview

Aptexx Resident Anywhere does not require authentication to view and modify sensitive information contained in direct account and payment URLs, which can be leveraged to bypass authentication and access user accounts.

Description

CWE-288: Authentication Bypass Using an Alternate Path or Channel - CVE-2014-4882

Aptexx Resident Anywhere, an online payment processing and maintenance request handling service for property managers, does not require authentication to view and modify the account information of its users. Anyone with knowledge of a direct account URL or the ability to guess one can gain account access, bypassing authentication. Account access enables a user to view and modify account data and to submit payments and requests.

Impact

A remote, unauthenticated attacker with access to a specific URL can acquire the last four digits of any stored payment account numbers, as well as the name, address, email address, phone number, and payment history of the victim user. The attacker can modify or remove account information, set a new password, and submit fraudulent maintenance requests and payments using stored payment methods.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Until this vulnerability is addressed, Aptexx users should consider the following workaround:

Do not store sensitive information

Do not store sensitive information, specifically payment (credit/debit card or bank account) information with Aptexx until this vulnerability has been resolved. Current users should consider removing sensitive information from their Aptexx accounts.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AptexxAffected28 Aug 201402 Jun 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.8E:POC/RL:U/RC:C
Environmental2.0CDP:MH/TD:L/CR:ND/IR:ND/AR:ND

References

  • https://cwe.mitre.org/data/definitions/288.html
  • http://www.aptexx.com/

Credit

Thanks to Claus Jensen for reporting this vulnerability.

This document was written by Todd Lewellen and Joel Land.

Other Information

  • CVE IDs:CVE-2014-4882
  • Date Public:08 Jun 2015
  • Date First Published:08 Jun 2015
  • Date Last Updated:08 Jun 2015
  • Document Revision:35

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/595884

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2015-06-24 00:29:30
  • Multiple Updates
2015-06-23 21:30:59
  • Multiple Updates
2015-06-08 21:25:00
  • First insertion