CVE-2021-33484

Name of the Vulnerable Software and Affected Versions OnyakTech Comments Pro version 3.8

Description An issue was discovered in CommentsService.ashx. An attacker can download a copy of the installer, decompile it, and discover a hardcoded IV used to encrypt the username and userid in the comment POST request. The attacker can also decrypt the encrypted encryption key by setting this encrypted value as the username, which will appear on the comment page in its decrypted form. Using these values, combined with the encryption functionality discovered in the decompiled installer, the attacker can encrypt another user's ID and username. These values can be used as part of the comment posting request to spoof the user.

Recommendations For OnyakTech Comments Pro version 3.8, consider disabling the CommentsService.ashx until a patch is available to prevent exploitation. Restrict access to the comment posting functionality to minimize the risk of user spoofing. Avoid using the encrypted encryption key as a parameter in the comment form request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.