Inova Partner 5.0.5-RELEASE, Build 0510-0906, and earlier (on-premise installation) allows authenticated users authorization bypass and data manipulation in certain functions -------------------------------------------------------------------- ID: KPMG-2018-07-002 Vendor: Inova Software Software Name: Inova Partner Vendor URL: https://www.inova-software.com Vulnerable/tested versions: Inova Partner 5.0.5-RELEASE, Build 0510-0906, and earlier (on-premise installation) Author: Sascha Eilers (KPMG) Vulnerability status: Not fixed Risk Level: High CVSS Score: 7.6 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L Product Details --------------- Inova Partner is a CRM solution dedicated to biotech, pharma and other life science companies. It allows to centralize opportunity and project information, including information on the asset, company, project description, status, discussions, on-going activities, next steps, important emails and documents, reviews and more. An integrated document management system enables users to store, share, and manage CDA and due diligence documents. Furthermore, the application offers eased collaboration via its review features on associated documents for internal an external partners. Inova Partner is designed to allow for data access based on the assigned privilege levels to provided information, functionalities and modules. Vulnerability Details --------------------- Description: The application is prone to an authorization bypass vulnerability and does not properly check authorization to access restricted functionalities. A) "assign to" function An authenticated user having read-only privileges for accessible modules can, under certain conditions, assign new or additional users as owner of an object. Assigned authorization within the associated object did not prevent the vulnerability. Objects marked as restricted are excluded from this issue. B) "choose participants" function An authenticated user having read-only privileges for accessible modules can, under certain conditions, can add arbitrary users as participants in reviews. Objects marked as restricted are excluded from this issue. Prerequisites: For read-only users, the URL to the individual object overview page must be known and access to the corresponding module must be given. Read-write users must have access to the corresponding module and can obtain the required URL by creating new objects. Authentication required: Authentication is required. Vulnerability Type: Bypass authorization/data manipulation/information disclosure Risk/Impact: An attacker or malicious user with read only privileges can access the affected resources and manipulate ownership of objects which are currently not explicitly restricted. Proof of Concept ---------------- A) "assign to" function During our analysis, we were able to access the function "assign to" by the following URLs: Assets https://example.com/inova-partner/ctx/auth/J6B817BF243AABA19EE135548557F2DE2.do?productOid=ProductImpl.16491.Tenant-1 Activity (for module Assets) https://example.com/inova-partner/ctx/auth/J815165977520A83E99836BBD76817CDB.do?productOid=ProductImpl.16495.Tenant-1 Events tracker https://example.com/inova-partner/ctx/auth/JD8F149330D96600234473D5BFBF60E94.do?asset2Oid=Asset2Impl.16496.Tenant-1 In-Licensing/Acquisitions https://example.com/inova-partner/ctx/auth/page.project.assignto.do?projectOid=InLicensingProjectImpl.27269.Tenant-1 Pitches https://example.com/inova-partner/ctx/auth/J171BAEBD3CFC434697F194DF0C3C1B39.do?asset3Oid=Asset3Impl.16493.Tenant-1 The allowed users to be assigned are limited to given read-write users. Success of the ownership modification can be verified in the corresponding object overview page and via the associated audit log. With regard to pitches, the application responded with a "Access forbidden" message, however, the request was executed successfully. B) "choose participants" function During our analysis, we were able to access the function "choose participants" by the following URLs: Review (choose participants) https://example.com/inova-partner/ctx/auth/JA4BE86F49484087A4752998244B02C05.do?reviewOid=Review.1327.Tenant-1&asset2Oid=Asset2Impl.3343.Tenant-1 Success of the participant assignment can be verified in the corresponding object summary section and via the associated audit log. Solution -------- Not available Timeline -------- Vulnerability discovered: 2018-05-11 Vendor notified: 2018-07-18 Vendor fix provided: N/A Publication date: 2018-11-05 Credits ------- This security vulnerability was found by Sascha Eilers of KPMG AG WPG. E-Mail: seilers (at) kpmg.com Key fingerprint = aa 18 90 16 74 24 05 b2 8b 81 bc b6 2d c3 f1 2b e0 ac dd 47 (CVE) References ---------------- Vendor URL: https://www.inova-software.com KPMG AG WPG: https://home.kpmg.com/de/en/home.html KPMG Security Advisory KPMG-2018-002: https://www.kpmg.de/noindex/advisories/KPMG-2018-002.txt Disclaimer ---------- The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the KPMG AG WPG website. Copyright --------- Creative Commons - Attribution (by) - Version 3.0 http://creativecommons.org/licenses/by/3.0/deed.en