Information disclosure vulnerability in Global Settings in SupportCenter Plus
Severity : Medium
CVE ID : CVE-2022-42903
Affected software version(s) : Versions 11000 to 11024
Fixed version : 11025
Fixed on : October 13, 2022
Details
This vulnerability grants users (requesters and technicians) within a SupportCenter Plus portal, unauthorized access to the portal owners' personal information, including name, email address, and more. The vulnerability was the result of no role check procedure in Global Settings when appropriate APIs were called.
Impact
Unauthorized users can access portal owners' details.
How was this fixed?
We have added an Organization Administrator role to check for APIs. Now, only users with this role will be able to access the portal owners' details.
Steps to upgrade
Customers must upgrade to the latest version of SupportCenter Plus (11025) using the appropriate migration path listed here.
Acknowledgements
This vulnerability was reported by B A O.