ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and to access sensitive data via token reuse.
- Announcement (to Vendor): 2020-07-12
- Public disclosure date: 2020-08-31
Incorrect Access Control
ForLogic
- Qualiex - v1
- Qualiex - v3
- Other versions may be affected, especially in the same family (not tested yet)
Qualiex
Remote
True
True
Weak expiration in authorization token permits reuse to gain privileges and to access sensitive data
True
Mauricio Santos (R&D UnderProtection), Claudemir Nunes (R&D UnderProtection) and Hesron Hori (R&D UnderProtection)
Forlogic - Vendor's Information Security Team who collaborated to a coordinated disclosure