ServicesEventsBlogAcademySupportContact
Free Consultation
Back to blog
VulnerabilitiesOctober 27, 2023 · 5 min

CVE-2023-43900: IDOR in EMSigner exposes confidential documents

IDOR vulnerability in EMSigner v2.8.7 (CVSS 6.5) letting attackers access other users' documents by tampering with the DocumentId and EncryptedDocumentId parameters.

Summary

Name: Insecure Object Reference Vulnerability in Web Application Document Handling.

Product: EMSigner
Affected versions: EMSigner v2.8.7
Affected Components: Endpoint /Areas/AdhocLogin/GETALLDOCUMENTSWORKDETAILSShareDownload with parameter "DocumentId"; and endpoint /Areas/Share/InternalUserCompletedDownload with parameter "ID".
Attack Type: Remote
Vulnerability Type: Incorrect Access Control
Impact: Information Disclosure
CVSSv3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N — Base Score 6.5
CVE ID: CVE-2023-43900

Description

Insecure Direct Object References (IDOR) in EMSigner v2.8.7 allow attackers to gain unauthorized access to application content and view sensitive data of other users via manipulation of the documentID and EncryptedDocumentId parameters.

Vulnerability

The vulnerability stems from insecure handling of object references in the document-management functionality. The application permits unauthorized access to sensitive document data because it inadequately validates and controls access to specific parameters such as "DocumentID" and "EncryptedDocumentId".

Attack Vector

The flaw is exploited through IDOR by manipulating parameter values — particularly "documentID" and "EncryptedDocumentId". An attacker can reach application content and view sensitive data belonging to other users.

Exploitation

During a web-application assessment that used EMSigner we identified the following attack chain:

  1. Logged in as a low-privilege user and opened the document download option.
  2. The attacker intercepts the request https://domain.com/Areas/AdhocLogin/GETALLDOCUMENTSWORKDETAILSShareDownload?WorkFlowID=&DocumentID=19 and notices that the DocumentId parameter loads numbers sequentially.
  3. Burp Suite Intruder is used to send values between 1 and 999 to the DocumentId parameter, enumerating existing documents.
  4. The server responses — especially larger ones — expose DocumentName and EncryptedDocumentId, revealing the document's name and encrypted identifier.
  5. Using that value, the attacker crafts the request https://domain.com/Areas/Share/InternalUserCompletedDownload?ID=<EncryptedDocumentId> and downloads documents uploaded by any user.

Remediation

An updated version of EMSigner is available at the vendor page.

Credits

The vulnerability was discovered by Jean Paul Granados (SecPro).

References

Vendor page: https://www.emsigner.com/

Timeline

  • 2023-02-27 — Vulnerability discovered.
  • 2023-05-08 — Vendor contacted.
  • 2023-05-24 — Vendor acknowledged the report.
  • 2023-09-01 — Vulnerability patched.
  • 2023-10-27 — Public disclosure.
Back to blogContact an advisor

Keep reading

Cybersecurity

What is a DDoS attack and how to protect yourself

Social Engineering

Social engineering: the threat you can't patch

Cybersecurity

Types of hackers: White, Grey and Black Hat

Need help with your cybersecurity? 💬