Held this placeholder, but now I can talk a bit about CVE-2019-11653 as per:
https://softwaresupport.softwaregrp.com/doc/KM03489552
The description and CVSS rating is really descriptive:
An access control bypass vulnerability has been identified in the Web Client component of Content Manager, affecting version 9.1 prior to 9.1.6.6, 9.2 prior to 9.2.3.2 and 9.3 prior to 9.3.2.3. The vulnerability could be exploited to manipulate data stored during another user’s CheckIn request.
CVSS:3.0/ AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Microfocus
They pretty much give away where to look, what parameters to mess with, and the CVSS score gives you the attack vector. Good on them actually.
Timeline of events from my side:
- Contacted Microfocus PSRT – 05/07/2019
- Reproduced and confirmed by Microfocus – 10/07/2019
- Throughout the whole process their engineers kept me in the loop on updates, especially Daniel.
- Public advisory and patches released – 06/08/2019
It was great working with Microfocus, they do take security seriously without a doubt.
Ash's Security Findings 