Vulnerability Note VU#566894

Visibility Software Cyber Recruiter authentication bypass vulnerability

Original Release date: 03 Feb 2014 | Last revised: 03 Feb 2014

Overview

Visibility Software Cyber Recruiter fails to prevent unauthenticated users from accessing protected webpages.

Description

CWE-305: Authentication Bypass by Primary Weakness:

Visibility Software Cyber Recruiter fails to prevent unauthenticated users from accessing protected webpages allowing unauthenticated user to view protected data hosted on the website via the AppSelfService.aspx and AgencyPortal.aspx webpages.

Impact

An unauthenticated attacker can bypass authentication and view protected data hosted on the website via the AppSelfService.aspx and AgencyPortal.aspx webpages.

Solution

Update

The vendor has released Visibility Software Cyber Recruiter 8.1.00 to address this vulnerability. Affected users are advised to upgrade to Visibility Software Cyber Recruiter 8.1.00 or higher.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Visibility SoftwareAffected03 Dec 201303 Feb 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.6 E:F/RL:OF/RC:C
Environmental 1.0 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Brad Arndt and Michael Ledford for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: Unknown
  • Date Public: 27 Jan 2014
  • Date First Published: 03 Feb 2014
  • Date Last Updated: 03 Feb 2014
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.