Description
A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Abacus Research AG / Abacus ERPv2022 – R1 of 2022-01-15
- Abacus Research AG / Abacus ERPv2021 – R4 of 2022-01-15
- Abacus Research AG / Abacus ERPv2020 – R6 of 2022-01-15
- Abacus Research AG / Abacus ERPR5 (service pack) – v2019*
- Abacus Research AG / Abacus ERPR5 (service pack) – v2018*
- Abacus Research AG / Abacus ERPv2017 – and prior versions
References
- VENDOR_ADVISORYhttps://www.redguard.ch/advisories/abacus_mfa_bypass.txt