Key Information About Vulnerabilities in PubliXone Overview Multiple vulnerabilities have been identified in the software PubliXone from Konzept-iX. These vulnerabilities allow an attacker to take over arbitrary accounts, execute functions by abusing unprotected API endpoints, and result in privilege escalation, information leakage, and arbitrary email sending. Vulnerabilities 1) Account Takeover (CVE-2020-27179) Description: The password reset functionality can be abused to reset any user's password. Impact: Critical 2) Missing Access Control for API Endpoints (CVE-2020-27183) Description: Several unprotected API endpoints allow actions like file uploads/downloads, data retrieval, email sending, and more without authentication. Impact: Critical 3) Unauthenticated File Download (CVE-2020-27180) Description: Files can be downloaded by specifying a unique file ID, with no authentication needed. Impact: Critical 4) Hardcoded AES Keys (CVE-2020-27181) Description: The Java applet has a hardcoded AES key in its source code, which can be used for account takeover. Impact: Critical 5) Reflected Cross-Site Scripting (XSS) (CVE-2020-27182) Description: Several reflected XSS vulnerabilities exist. Impact: High Affected Versions Vulnerable Version: 2019.045 Fixed Version: 2020.015 Timeline Vulnerabilities Found: 15.05.2020 Vendor Contact Dates: - 2020-08-03: Sending vulnerability details. - 2020-08-18: Asking for further information (no response). - 2020-09-21: Sending a reminder (no response). - 2020-10-05: Sending another reminder (no response). - 2020-10-20: Confirming vulnerabilities fixed in version 2020.015. - 2020-10-23: Publishing advisory. Recommendations Update PubliXone to the latest version (2020.015). No workaround available. Advisory URL: SEC Consult Vulnerability Lab CVE Numbers: CVE-2020-27179, CVE-2020-27183, CVE-2020-27180, CVE-2020-27181, CVE-2020-27182