CVE-2021-42791

Name of the Vulnerable Software and Affected Versions VeridiumID VeridiumAD version 2.5.3.0

Description An issue was discovered in the HTTP request that triggers push notifications for enrolled users, where proper access control is not enforced. This allows a user to trigger push notifications for any other user and modify the text contained in the notification. If the recipient accepts the notification, the user who triggered it can obtain the recipient's login certificate.

Recommendations For VeridiumID VeridiumAD version 2.5.3.0, consider disabling the push notification feature until a patch is available to enforce proper access control and prevent unauthorized modifications to notification text. Restrict access to the HTTP request endpoint that triggers push notifications to minimize the risk of exploitation. Avoid using the feature that allows triggering push notifications for other users until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.