Tanoy Bose

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0 Description: The issue allows an attacker to use hardcoded credentials in clients, with the username: `sapphire` and password: `ims`, to gain access to the portal. Once access is obtained, the attacker can inject malicious OS commands on functions such as "ping", "traceroute", and "snmp" and execute code on the server. This is also possible if the `JSESSIONID` is completely removed. Recommendations: For SapphireIMS version 5.0, consider changing the hardcoded credentials to unique and secure credentials for each client, and restrict access to the "ping", "traceroute", and "snmp" functions to minimize the risk of exploitation. Additionally, implement measures to prevent `JSESSIONID` removal or tampering. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5 Description: The issue concerns the use of default credentials in SapphireIMS. Specifically, the software utilizes default `sapphire:ims` credentials to connect the client to the server. These credentials are stored in the `ServerConf.config` file on the client side. Recommendations: For SapphireIMS version 5, consider changing the default `sapphire:ims` credentials to custom, secure credentials to prevent unauthorized access. As a temporary workaround, restrict access to the `ServerConf.config` file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0 Description: The issue is related to the absence of a CSRF token in the entire application, which can lead to CSRF vulnerabilities in critical application forms, such as account reset. Recommendations: For SapphireIMS version 5.0, consider implementing CSRF tokens in all forms to prevent cross-site request forgery attacks. As a temporary workaround, restrict access to critical application forms like account reset to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0 Description: The issue allows creating a local administrator on any client without requiring credentials by directly accessing the `RemoteMgmtTaskSave` feature, which is part of Automation Tasks, and not having a `JSESSIONID`. Recommendations: For SapphireIMS version 5.0, consider restricting access to the `RemoteMgmtTaskSave` feature to prevent unauthorized creation of local administrators until a patch is available. As a temporary workaround, ensure that all sessions require a valid `JSESSIONID` to access Automation Tasks.

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0 Description: The issue allows an attacker to create a local administrator on any client using the credentials of a non-privileged user. This is achieved by directly accessing the `RemoteMgmtTaskSave` feature, which is part of the Automation Tasks. Recommendations: For SapphireIMS version 5.0, consider disabling direct access to the `RemoteMgmtTaskSave` feature until a patch is available. Restrict the use of Automation Tasks to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0 Description: The issue allows an attacker to use hardcoded credentials in clients, with the username: `sapphire` and password: `ims`, to gain access to the portal. Once access is obtained, the attacker can inject malicious OS commands on functions such as "ping", "traceroute", and "snmp" and execute code on the server. Recommendations: For SapphireIMS version 5.0, consider changing the hardcoded credentials to unique and secure credentials to prevent unauthorized access. As a temporary workaround, restrict access to the "ping", "traceroute", and "snmp" functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0 Description: The issue allows for account takeover by sending a request to the "Save Password" form. This can be done without requiring a JSESSIONID, enabling the reset of any user's password by modifying the `username` to the target user and the `password` to base64 encoded desired password. Recommendations: For SapphireIMS version 5.0, as a temporary workaround, consider restricting access to the Save Password form until a patch is available. Avoid using the Save Password form to reset passwords until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SapphireIMS version 4097 1 **Description** The software is susceptible to username guessing due to distinct error messages for incorrect usernames and correct usernames with incorrect passwords. For an "Incorrect User", it displays "The application failed to identify the user. Please contact administrator for help." For a "Correct User and Incorrect Password", it shows "Authentication failed. Please login again." **Recommendations** For SapphireIMS version 4097 1, consider modifying the login form to provide generic error messages that do not distinguish between incorrect usernames and correct usernames with incorrect passwords, thereby preventing attackers from guessing registered usernames.

**Name of the Vulnerable Software and Affected Versions** SapphireIMS version 4097 1 **Description** The issue allows a guest user to create a local administrator account on any system with SapphireIMS installed due to an Insecure Direct Object Reference (IDOR) in the local user creation function. This means that the function does not properly restrict access to objects, allowing unauthorized users to perform actions they should not be able to. **Recommendations** For SapphireIMS version 4097 1, consider restricting access to the local user creation function to prevent guest users from creating local administrator accounts until a patch is available. As a temporary workaround, limit the privileges of guest users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SapphireIMS version 4097 1 **Description** The issue allows a guest user to change the password of an administrative user by exploiting an Insecure Direct Object Reference (IDOR) in the "Account Password Reset" functionality. **Recommendations** For SapphireIMS version 4097 1, restrict access to the "Account Password Reset" functionality to prevent unauthorized password changes until a fix is available.

**Name of the Vulnerable Software and Affected Versions** SapphireIMS version 4097 1 **Description** The password in the database is stored in Base64 format. **Recommendations** For SapphireIMS version 4097 1, consider implementing proper password hashing and storage mechanisms to mitigate the risk of password exposure. As a temporary workaround, restrict access to the database to minimize the risk of exploitation.