search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Topline Systems Opportunity Form vulnerable to information disclosure

Vulnerability Note VU#669156

Original Release Date: 2015-02-05 | Last Revised: 2015-02-06

Overview

Topline Systems Opportunity Form contains an information disclosure vulnerability.

Description

CWE-200: Information Exposure

Topline Systems Opportunity Form is a macro-enabled Excel spreadsheet that contains connection strings to a public-facing database. By running procedures included in the spreadsheet, user names, email addresses, and passwords are exposed in plain text.

Impact

A remote, authenticated attacker may gain access to user credentials and account data.

Solution

Upgrade

Topline Systems has updated the Opportunity Form, ending support for vulnerable versions and enforcing a mandatory password change for its users. Refer to the Vendor Information section below for the vendor's statement on these and other changes.

Change passwords in other accounts

While it is unknown whether any account data has been compromised, users of the Opportunity Form are advised to change passwords for all other accounts that use the same password, particularly for accounts containing sensitive information. For guidance about password security, refer to Choosing and Protecting Passwords.

Vendor Information

669156
 
Expand all

Topline Systems Affected

Notified:  December 16, 2014 Updated: February 05, 2015

Statement Date:   February 04, 2015

Status

Affected

Vendor Statement

What changes we have made:
1) We have made security changes in XLS Opp form which we have verified with CERT.org and we got Favorable response from CERT on the measures we have taken.
2) We have stopped support for earlier versions of Excel Opportunity form.
3) Users will have to download fresh copy of excel Opportunity form. It will make sure that everyone is using the version with additional security features.
4) We made several patched changes to improve security and will include more changes in the Feb. 15 release.
5) With additional security changes, all the users will have to reset their Password one time.
6) We have added security note for users on Sunday, Jan 11th

Security Note :
We already have good measures for security in applications But we all know, security threats are constantly evolving in market and we need to be on top of it, so we are taking precautionary steps and have made some changes both for Opportunity Portal and Excel based Opportunity form.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 4 AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal 3.3 E:F/RL:OF/RC:C
Environmental 1.3 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Joel Land.

Other Information

CVE IDs: None
Date Public: 2015-02-05
Date First Published: 2015-02-05
Date Last Updated: 2015-02-06 14:16 UTC
Document Revision: 25

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis