CVE-2021-44877

Name of the Vulnerable Software and Affected Versions: Dalmark Systems Systeam version 2.22.8 build 1724

Description: The Systeam application, an ERP system with a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts, has a broken access control vulnerability. This vulnerability is found when using a temporary generated token to consume API resources, allowing an unauthenticated attacker to generate a temporary JWT token. The attacker can use this token to request system configuration parameters via direct API requests, resulting in sensitive information exposure. If the tenant has an SMTP credential set, the full credential information is disclosed.

Recommendations: For Dalmark Systems Systeam version 2.22.8 build 1724, consider disabling the use of temporary generated tokens for API resource consumption until a patch is available. Restrict access to API endpoints that allow generation of temporary JWT tokens to minimize the risk of exploitation. Avoid using direct API requests to request system configuration parameters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.