Security Advisories

Reported: 5:29PM 2/8/2022

Resolved: 12:47AM 4/8/2022

Product: Move CRM

Summary

Stored cross-site scripting (XSS) vulnerabilities have been reported to affect our Move CRM product. To exploit this vulnerability an attacker would have to have access to valid login credentials. If exploited, this vulnerability may have allowed an attacker to inject malicious code.

It is not trivial to hijack sessions of other users as session are locked to the user IP address. Any attempt to use a stolen session would result in an error code "403 Bad Session" being issued.

This vulnerability was resolved within 36 hours of being notified.

Pre-conditions

Valid security credentials were required to exploit this vulnerability.

Recommendation Action

No action required. All instances have been patched.

History

• We were advised of a probable Stored Cross Site Scripting vulnerability at 5:29pm 2nd August in our Move CRM System. Details were not provided at that time.
• Further details of the vulnerability were provided at 12:19pm 3rd August.
• At 1:58pm 3rd August we acknowledged the vulnerability.
• At 12:47am 4th August we patched our production systems.
• At 1:53am 4th August we supplied corrected source code for Enterprise Partners.

*Times reported are AEST