Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Authentication Bypass in Tribal SITS:Vision

From: Callum Murphy <Callum.Murphy () jisc ac uk>
Date: Mon, 23 Mar 2020 08:58:43 +0000
----------------------------------------------------------------
SITS:Vision 9.7.0 Authentication Bypass
----------------------------------------------------------------

[-] Software Link:

https://www.tribalgroup.com/software-and-services/student-information-systems/sitsvision


[-] Affected Versions:

Version 9.7.0 and possibly other versions.


[-] Vulnerability Description:

An authentication bypass vulnerability is present in the standalone SITS:Vision component of Tribal SITS in its default 
configuration, related to unencrypted communications sent by the client each time it is launched. This vulnerability 
allows unauthenticated attackers to gain access to credentials or execute arbitrary SQL queries on the SITS backend as 
long as they have access to the client executable or can intercept traffic from a user who does.


[-] Solution:

According to the vendor, changing a configuration setting to enable the Uniface TLS driver will mitigate the issue.


[-] Disclosure Timeline:

[15/11/2019] - Issue reported to vendor.
[18/11/2019] - Vendor replies that they consider this to be OK as it can be mitigated with a Uniface configuration 
change.
[20/11/2019] - CVE number assigned.
[23/03/2020] - Publication of this advisory.


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2019-19127 to this 
vulnerability.


[-] Credits:

Vulnerability discovered by Callum Murphy.

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under 
company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 
0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in 
England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, 
BS1 6NB. T 0203 697 5800.  

For more details on how Jisc handles your data see our privacy notice here: 
https://www.jisc.ac.uk/website/privacy-notice

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: