Asseco SEE Live Insecure Access Control Vulnerability Allowing Unauthorized Access to Email Attachments
Vulnerability
A vulnerability exists in Asseco SEE Live version 2.0 within the Contact Plan, E-Mail, SMS, and Fax components. This vulnerability allows remote attackers to access and execute attachments through a computable URL, due to insecure access control mechanisms.
Impact
Exploitation of this vulnerability could lead to unauthorized access and execution of email attachments, potentially allowing for the execution of malicious payloads.
Reproduction
To reproduce this vulnerability, first send a file as an email attachment using the application, or receive an email with an attachment that the application will automatically download. The downloaded attachment will be saved to the host. Next, compute the MD5 hash of the downloaded file. The vulnerability can then be exploited by accessing the file through a specific URL format that includes the date, MD5 hash, and file extension.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.