Task authorization is required in order to establish a session with other users.

In case eVision is installed on a host that is accessible via the Internet, the security risks are quite high. An attacker can exploit this issue to conduct session hijacking attacks.

eVision has insufficient rate limiting for task acquisition requests. An unauthenticated remote attacker can exploit this issue to perform large numbers of task acquisition requests. eVision has insufficient rate limiting for task acquisition requests. An unauthenticated remote attacker can exploit this issue to perform large numbers of task acquisition requests.

References:

- https://www.tenable.com/blog/5-common-mistakes-in-outsourcing-seo
- https://www.scmagazine.com/how-to-outsource-seo

Vulnerability Scenario

An attacker with the ability to create a session on the eVision service can exploit this issue by performing large numbers of task acquisition requests. This vulnerability could be particularly damaging if the application is not protected via authentication mechanisms such as SSL or IPsec tunnels.

Vulnerable Parts of eVision


eVision has insufficient rate limiting for task acquisition requests. An unauthenticated remote attacker can exploit this issue to perform large numbers of task acquisition requests. eVision has insufficient rate limiting for task acquisition requests. An unauthenticated remote attacker can exploit this issue to perform large numbers of task acquisition requests.

Task Authorization

Session hijacking is a method that can be used by an attacker to steal a user's session. It involves tricking the victim into entering their credentials on a compromised website or sending them over email. The attacker can then use the stolen credentials to make unauthorized changes in a victim's account in order to steal their data. These changes may include stealing funds, changing settings, and posting new content.

The vulnerability exists within eVision when the application does not implement proper authorization for task acquisition requests. An attacker can send a request for tasks without having to authenticate with any credentials, which allows them to perform large numbers of task acquisition requests without additional authentication limits. One example of where this vulnerability could be exploited is if an attacker was able to gain access to an eVision installation that was accessible via the Internet and was able to conduct session hijacking attacks against users.

Timeline

Published on: 09/28/2022 04:15:00 UTC
Last modified on: 09/28/2022 23:48:00 UTC

References