In SapphireIMS 4097_1, a guest user is able to change the password of an administrative user by utilizing an Insecure Direct Object Reference (IDOR) in the “Account Password Reset” functionality.
- 14 Sept, 2017 - Informed vendor; No response
- 15 Sept, 2017 - Informed CERT/CC
- 26 Sept, 2017 - First follow up; No response
- 30 Oct, 2017 - Second follow up; No response
- 06 Nov, 2017 - Assigned CVE