############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: ONELAN CMS [1] # Vendor: ONELAN # CSNC ID: CSNC-2018-010 # Subject: Account Brute Force # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 06.02.2018 # ############################################################# Introduction: ------------- The ONELAN Content Management System (CMS) software leverages more than a decade of development and industry experience to deliver users a business tool that makes creating, publishing and managing content simple and dependable. [1] Compass Security discovered a security flaw in the ONELAN CMS, which allows attackers to brute-force user accounts. Affected: --------- Vulnerable: * CMS V3.3.0 Build 56815 Technical Description --------------------- The application does not implement any mechanism to temporarily lock user accounts on too many failed login attempts in short succession. Workaround / Fix: ----------------- This issue can be fixed by temporarily locking user accounts if too many failed login attempts occur within a short time. Timeline: --------- 2018-05-29: Public disclosure 2018-05-28: Release of fixed version/patch 2018-02-12: Initial vendor response 2018-02-06: Initial vendor notification 2018-02-06: Discovery by Stephan Sekula References: ----------- [1] https://onelan.com/products/publisher-cms/