CVE-2019-16133

Name of the Vulnerable Software and Affected Versions eteams OA version 4.0.34

Description An issue was discovered where the session is not strictly checked, allowing an ordinary account to obtain the account names and passwords of all employees in the company. This can be achieved by sending a jsessionid value for URIs under "app/profile/summary/".

Recommendations For eteams OA version 4.0.34, as a temporary workaround, consider restricting access to the "app/profile/summary/" endpoint until a patch is available. Additionally, avoid using the jsessionid value in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.