CVE-2019-19127

Name of the Vulnerable Software and Affected Versions Tribal SITS:Vision version 9.7.0

Description An authentication bypass issue is present in the standalone SITS:Vision component of Tribal SITS in its default configuration. This is related to unencrypted communications sent by the client each time it is launched, which occurs because the Uniface TLS Driver is not enabled by default. This allows attackers to gain access to credentials or execute arbitrary SQL queries on the SITS backend as long as they have access to the client executable or can intercept traffic from a user who does.

Recommendations As a temporary workaround, consider enabling the Uniface TLS Driver to encrypt communications and minimize the risk of exploitation. Restrict access to the SITS backend to minimize the risk of arbitrary SQL queries being executed. Avoid using the client executable over unsecured networks until the issue is resolved.