Overview
Aptexx Resident Anywhere does not require authentication to view and modify sensitive information contained in direct account and payment URLs, which can be leveraged to bypass authentication and access user accounts.
Description
CWE-288: Authentication Bypass Using an Alternate Path or Channel - CVE-2014-4882 Aptexx Resident Anywhere, an online payment processing and maintenance request handling service for property managers, does not require authentication to view and modify the account information of its users. Anyone with knowledge of a direct account URL or the ability to guess one can gain account access, bypassing authentication. Account access enables a user to view and modify account data and to submit payments and requests. |
Impact
A remote, unauthenticated attacker with access to a specific URL can acquire the last four digits of any stored payment account numbers, as well as the name, address, email address, phone number, and payment history of the victim user. The attacker can modify or remove account information, set a new password, and submit fraudulent maintenance requests and payments using stored payment methods. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Until this vulnerability is addressed, Aptexx users should consider the following workaround: |
Do not store sensitive information |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 6.8 | E:POC/RL:U/RC:C |
| Environmental | 2.0 | CDP:MH/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Claus Jensen for reporting this vulnerability.
This document was written by Todd Lewellen and Joel Land.
Other Information
| CVE IDs: | CVE-2014-4882 |
| Date Public: | 2015-06-08 |
| Date First Published: | 2015-06-08 |
| Date Last Updated: | 2015-07-01 13:09 UTC |
| Document Revision: | 36 |