• Software Link:
• Affected Versions:
Version 3.1.1 and probably other versions.
• Vulnerability Description:
The application does not properly restrict access to certain AJAX functionalities. This can be exploited to bypass the authentication mechanism and access such functionalities without valid credentials.
No official solution is currently available.
• Disclosure Timeline:
[06/11/2013] – Vendor notified
[06/11/2013] – Vendor response stating “Please immediately cease and desist all such communications”
[05/12/2013] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-5356 to this vulnerability.
Vulnerability discovered by Egidio Romano, Secunia Research.
• Original Advisory: