Vasion Print Local Log Disclosure Vulnerability Allowing Session Hijacking

A vulnerability exists in Vasion Print Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330, specifically in macOS and Linux client deployments. The issue arises from the local logging mechanism, which stores authentication session tokens, including PHPSESSID, XSRF-TOKEN, and laravel_session, in cleartext within log files that are readable by all users. This exposure allows any local user with access to the machine to extract these session tokens and authenticate remotely to the SaaS environment, bypassing normal login credentials. Such exploitation could lead to unauthorized system access and exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can impersonate a user by using the extracted session tokens to gain unauthorized access to the Vasion Print SaaS environment.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 1.0.735 and Application version 20.0.1330 or later. For Vasion Print on Windows, update to version 25.0.0.897 or later. If using a third-party software deployment, the Client installation package is available as an MSI.