CVE-2018-7718

Name of the Vulnerable Software and Affected Versions: Telexy QPath version 5.4.462

Description: A low-privileged authenticated user can modify user information, including email address, username, and password, of other user accounts by supplying a specially crafted serialized request to AdanitDataService.svc. An attacker can intercept their own password-change request and modify the username before the request reaches the server, allowing for account takeover. Similarly, changing a victim's email address can have the same consequence.

Recommendations: For Telexy QPath version 5.4.462, consider restricting access to the AdanitDataService.svc endpoint until a patch is available. As a temporary workaround, monitor and validate all requests to this endpoint to prevent unauthorized modifications to user information.