Affected Product: Evasys

Affected Versions: evasys v8.2 Build 2275 - 2285 and evasys v9.0 Build 2400 (both according to vendor)

Fixed Version: v8.2 Build 2286 and v9.0 Build 2401

CVE-Number: CVE-2023-31435

Severity: 8,1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Discovered by Dipl-Ing. Mario Rubak, BSc MSc and Regina Kohl, BSc

Several instances were discovered where the implemented authorization scheme can be circumvented.

Proof of Concept

Read access (with valid token): Users with the role of ‘Teilbereichsadmin’ can access the following URLs through their dashboard. If these URLs are entered with the trainer’s currently valid token in the browser, the trainer can call functions that are not available in the GUI

Liste aller Teilbereiche<valid-trainer-token>

Umfragen anzeigen (including display of users)<valid-trainer-token>

Performanzübersicht (including display of current user)<valid-trainer-token>

Dokumente und Vorlagen (including download of documents)<valid-trainer-token> 

Export von anderen Fragebögen (.vfd files)<valid-trainer-token>

Umfragen anzeigen (including display of multiple data such as users, ...)<valid-trainer-token>

It is noticeable that the “trainer” role sometimes sees more data than the “Teilbereichsadmin” role, as can be seen in the following figure. “Trainer” role sees more entries than “Teilbereichsadmin” role

Read access (without token): Furthermore, a trainer can view other questionnaires by enumerating the frmid: Write access: As previously explained, users can gain partial access to URLs that are not accessible through the GUI if they use their valid token in the TOKEN parameter. The following example demonstrates a scenario where users are not only granted read access but also write access. Specifically, it shows how the template name of an online template of another user can be modified.

The following URL cannot be accessed via the sub-admin dashboard. However, if the sub-admin enters the following URL with their current token in the browser, they can access the online template management.<valid-"Teilbereichsadmin"-Token>

As shown in the figure below, the application only displays the user’s own online templates and those of the SYSTEM. However, a user with the “Teilbereichsadmin” role can create new online templates (in this case, Online Template ID 7 was created by the researchers) or modify existing online templates belonging to other users.

If the user attempts to edit their own template (using the pencil icon) and includes the ID of another user’s online template in the corresponding request, they can change the name of that user’s online template, even if it is not displayed in the application interface.

Accessing “Onlinetemplate-Verwaltung” with the role “Teilbereichsadmin”

User with role “Teilbereichsadmin” changes online template of a user with the role “Trainer” Modified online template - comparison view of users

Another method for unauthorized changes involves editing other users. To do this, a valid request that permits editing a user must be intercepted using an HTTP proxy and the parameter ‘userid’ must be modified to a valid value. By doing so, the auditors were able to access the ‘Edit user attributes’ interface of a user who could not be directly edited through the GUI. It is worth noting that the auditors did not attempt to make or save any changes. No user editing possible in GUI Calling up “Nutzerattribute ändern” by manipulating the userid

Vendor contact timeline

2022/07/26Discovery of the vulnerability
2023/08/05Bulk disclosure of multiple vulnerabilities using the vendors support mail
2023/08/08Vendors respond that they acknowledge the findings and start to work on a fix
2023/08/10Evasys shares detailed plan for the fix with the researchers and asks for a few months of time before disclosing the vulnerability
2023/08/23Vendor responds that the vulnerabilities will be fixed in version 8.2 and 9.0 in 2023/09/06
2023/01/02First attempt to request CVEs at MITRE
2023/03/23Request was closed by MITRE without stating a reason
2023/04/24Second attempt to request CVEs at MITRE
2023/04/28MITRE assigns CVE-2023-31435
2023/05/02The Venord affirms that publication of the vulnerability is permissible
2023/05/02CVE-2023-31435 has been published