Security advisories

This page has been moved to Zendesk. Please, refer to this link for the latest version.

Description Reported date SeverityAffected versionsFixed VersionsReported by

Bad permission check over the /api/v1/users API endpoint. 

DELETE to delete users does not correctly check ALL_USERS_UPDATE or MANAGE_USERS_BU permission.

 MediumIriuRisk 1.9.0 to 1.12.1IriusRisk 2.x branch.Discovered during internal security reviews. 

Bad permission check over the /api/v1/users API endpoint. 

POST to create users does not correctly check ALL_USERS_UPDATE permission.

This endpoint only supports user pre-creation when IriusRisk is integrated with LDAP or SAML IdPs.

 MediumIriusRisk 1.8.0 to 1.12.1IriusRisk 2.x branch.Discovered during internal security reviews.
Password returned in clear-text response vulnerability - fixed in integration modules.
 
MediumIriusRisk 1.x branch.IriusRisk 2.x branch.Pramod Rana | Security Engineer.
Updated our validation filter to fix an stored cross-site scripting vulnerability in "My Recent Activity" view.
 
HighIriusRisk 1.x branch < 1.12.1IriusRisk 1.12.1 and IriusRisk 2.x branch.Discovered during internal security reviews.