CVE-2017-17707

Name of the Vulnerable Software and Affected Versions: Pleasant Password Server versions prior to 7.8.3

Description: The issue arises from missing authorization checks, allowing any authenticated user to list, upload, or delete attachments to password safe entries. To perform these actions, a user needs to know the corresponding CredentialId value, which is a GUID that uniquely identifies a password safe entry. Although CredentialId values are hard to guess, they can be exposed to malicious users if an entry's owner grants read-only access or temporary grants.

Recommendations: For versions prior to 7.8.3, update to version 7.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to password safe entries and avoiding granting read-only access or temporary grants to untrusted users. Additionally, limit the exposure of CredentialId values to minimize the risk of exploitation.