Aranda Software Aranda Service Desk Log Exposure Vulnerability in File Server Component

A vulnerability in the Aranda File Server component of Aranda Service Desk, affecting versions prior to 8.3.12, allows unauthenticated remote attackers to access daily activity logs stored in a publicly accessible directory. These logs, named with predictable formats, can be exploited to obtain direct virtual paths of uploaded files, bypassing access controls and enabling the download of sensitive documents containing personally identifiable information (PII).

Impact

Exploitation of this vulnerability could lead to unauthorized access and exfiltration of PII, such as names, phone numbers, and email addresses of users. Additionally, it could allow access to confidential incident details and attached documents, along with knowledge of the server's internal directory structure.

Reproduction

The vulnerability can be reproduced by sending a request to the exposed logs directory, referencing a current or past date. This will retrieve the log file for that date, which contains the internal file paths of uploaded documents. Once the paths are extracted, they can be used to directly access the files through the Aranda File Server's public directory.

Remediation

Users are advised to update Aranda Service Desk to version 8.3.12 or higher. Additionally, access to the logs should be restricted by moving them outside the web root, enforcing mandatory session validation for accessing service call and incident directories, and disabling directory listing on the IIS web server.