CVE-2021-44840

Name of the Vulnerable Software and Affected Versions Delta RM version 1.2

Description An issue was discovered in Delta RM, allowing an attacker with a privileged account to edit, create, and delete risk labels, including Criticality and Priority Indication labels. This can be achieved by using the "/core/table/query" endpoint with a POST request, specifying the affected label with the tableUid parameter and the operation with datas[query]. The vulnerable labels include Priority Indication, Quality Evaluation, Progress Margin, and Priority. Additionally, it is possible to export Criticality labels with an unprivileged user.

Recommendations For Delta RM version 1.2, consider restricting access to the "/core/table/query" endpoint to prevent unauthorized modifications to risk labels. As a temporary workaround, limit the use of the tableUid parameter and datas[query] to minimize the risk of exploitation. Avoid using the tableUid parameter and datas[query] with unprivileged users to prevent the export of Criticality labels. At the moment, there is no information about a newer version that contains a fix for this vulnerability.