TrueFiling URL Identifier Manipulation Vulnerability Allowing Unauthorized Access to Case Information

A vulnerability in TrueFiling, a cloud-based electronic filing system, prior to version 3.1.112.19, allowed users to manipulate client-controlled identifiers in URL requests. This manipulation could be used to gain partial access to case information and alter user access to that information. The issue arose because TrueFiling trusted certain identifiers passed by clients, enabling authenticated users to exploit this trust and access or modify case details. All instances of TrueFiling were updated to address this vulnerability by November 8, 2024.

Impact

Exploitation of this vulnerability could lead to unauthorized access to case information and the ability to change user access rights, potentially allowing for misuse of legal documentation and case management.

Reproduction

To reproduce this vulnerability, log into TrueFiling with an authenticated account. Once logged in, manipulate the URL to change identifiers that control access to case information. This can be done by intercepting the request with a proxy tool, such as BurpSuite, and altering the identifiers before the request is sent. After modifying the identifiers, submit the request to access the altered case information or change user access rights.

Remediation

Users should update to TrueFiling version 3.1.112.19 or later, where this vulnerability has been addressed.