CVE-2023-38257

Name of the Vulnerable Software and Affected Versions Iagona ScrutisWeb versions 2.1.37 and prior

Description The issue is related to an insecure direct object reference vulnerability. This could allow an unauthenticated user to view profile information, including user login names and encrypted passwords. The vulnerability is associated with an error in processing user-controlled authorization keys.

Recommendations For Iagona ScrutisWeb versions 2.1.37 and prior, update to a version later than 2.1.37 to resolve the issue. As a temporary workaround, consider restricting access to profile information to minimize the risk of exploitation. Avoid using the vulnerable profile information endpoint until the issue is resolved. At the moment, there is no information about additional mitigation measures.