Security advisory

SupportCenter Plus Features Security advisory

Information disclosure vulnerability in Global Settings in SupportCenter Plus

Severity : Medium

CVE ID : CVE-2022-42903

Affected software version(s) : Versions 11000 to 11024

Fixed version : 11025

Fixed on : October 13, 2022

Details

This vulnerability grants users (requesters and technicians) within a SupportCenter Plus portal, unauthorized access to the portal owners' personal information, including name, email address, and more. The vulnerability was the result of no role check procedure in Global Settings when appropriate APIs were called.

Impact

Unauthorized users can access portal owners' details.

How was this fixed?

We have added an Organization Administrator role to check for APIs. Now, only users with this role will be able to access the portal owners' details.

Steps to upgrade

Customers must upgrade to the latest version of SupportCenter Plus (11025) using the appropriate migration path listed here.

Acknowledgements

This vulnerability was reported by B A O.

World's Largest Organizations Rely On SupportCenter Plus