ISN 2021-07: UMS Web App Information Disclosure
First published 27 September 2021
CVSS 3.1 Base Score: 9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Summary
A critical security vulnerability in UMS Web App affects the following IGEL products:
- UMS 6.8.x with UMS Web App installed
- UMS 6.7.x with UMS Web App installed
- UMS 6.6.x with UMS Web App installed
- UMS 6.5.x with UMS Web App installed
Details
A penetration test has found that the UMS Web App can be made to reveal critical information, including the UMS Superuser password. IGEL would like to thank Lennert Preuth from SCHUTZWERK GmbH, who discovered the vulnerability.
Update Instructions
- Update to UMS 6.08.120
Mitigation
- IGEL strongly recommends that all affected users update/upgrade to UMS 6.08.120. If you have reasons not to do that, you can do the following:
- Make a UMS data backup.
- Re-run your current installer and re-install UMS without UMS Web App.