Security Advisory
Description
This advisory announces several security vulnerabilities that were discovered in versions 3.2.4 and 3.4.x of VeridiumID. Customers are advised to upgrade their VeridiumID to version 3.5.0 or above by following the steps found here: https://docs.veridiumid.com/docs/v3.5/upgrade-veridiumid-from-3-x-to-3-5-0
Vulnerabilities
CVE-ID | Affected Component(s) | Description | Severity |
CVE-2023-44038 | Identity provider page, self-service portal | An information disclosure vulnerability in the identity provider page allows an unauthenticated attacker to leak information of the registered users via an LDAP injection attack. | Low |
CVE-2023-44039 | Identity provider page, self-service portal | An issue in the WebAuthn API of VeridiumID allows an internal unauthenticated attacker who can pass enrolment verifications and is allowed to enrol a FIDO key to register their FIDO authenticator to a victim’s account and consequently taking over the account. | High |
CVE-2023-44040 | Identity provider page | The identity provider page is susceptible to a cross-site scripting (XSS) vulnerability which allows an internal unauthenticated attacker to execute code in the context of the user trying to authenticate. | Low |
CVE-2023-45552 | Self-service portal, WebSecAdmin | A stored cross-site scripting (XSS) vulnerability has been discovered in the admin portal which allows an authenticated attacker to take over all the accounts by sending a malicious input via the self-service portal. | High |
Acknowledgement
Veridium would like to thank Lim Jing Qiang from the Centre for Strategic Infocomm Technologies (CSIT) for disclosing the vulnerabilities.