vendor:
Checkbox
by:
Fady Mohamed Osman
7.5
CVSS
HIGH
Multiple
22
CWE
Product Name: Checkbox
Affected Version From: Check Box 2016 Q2
Affected Version To: Check Box 2016 Q4
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested: Windows Server 2012
2017
Check Box 2016 Q2 Survey Multiple Vulnerabilities
Checkbox is a survey application deployed by a number of highly profiled companies and government entities. The vulnerabilities include a directory traversal vulnerability, direct object reference vulnerability, and an open redirection vulnerability. The directory traversal vulnerability allows an attacker to download sensitive files such as the web.config file. The direct object reference vulnerability allows access to attachments without login. The open redirection vulnerability allows an attacker to redirect users to a malicious website.
Mitigation:
The vendor should fix the directory traversal vulnerability by properly validating user input and restricting access to sensitive files. The direct object reference vulnerability should be fixed by implementing proper authentication and authorization checks. The open redirection vulnerability should be fixed by validating and sanitizing user input for redirection URLs.