- #HOW TO UPDATE PORTFOLIO EXTENSIS UPDATE#
- #HOW TO UPDATE PORTFOLIO EXTENSIS ARCHIVE#
- #HOW TO UPDATE PORTFOLIO EXTENSIS PATCH#
- #HOW TO UPDATE PORTFOLIO EXTENSIS SOFTWARE#
- #HOW TO UPDATE PORTFOLIO EXTENSIS CODE#
#HOW TO UPDATE PORTFOLIO EXTENSIS UPDATE#
The Daily Swig has reached out to Extensis with additional queries and we will update if and when we hear back. “As such, White Oak Security is compelled to disclose these issues publicly.”
#HOW TO UPDATE PORTFOLIO EXTENSIS PATCH#
“Unfortunately, Extensis was not receptive to the disclosure of these vulnerabilities and has not made a patch available at this time,” the researchers say. According to White Oak Security, Extensis said “these security issues had not been prioritized and Extensis did not have an expected date for remediation”.Īs of February 17, the cybersecurity team says that Extensis “has not provided White Oak Security any indication that these vulnerabilities will be fixed”. On October 22, the cybersecurity researchers told Extensis that four other critical vulnerabilities also needed to be resolved, and while the vendor provided mitigation options for the unrestricted file upload bug, the company allegedly refused to give a timeline for any further fixes.Ī total of 164 days passed since disclosure before the researchers decided to take their findings public. White Oak Security confirmed that the original RCE vulnerability was unpatched in v4.0.0, and after requesting further information from the vendors on the fixes, there was radio silence. It was not until September 29 that White Oak Security said it was able to contact the vendor – and only by leveraging a client contact.Īccording to the researchers’ disclosure timeline, Extensis confirmed receipt of the report and recommended that the team test Portfolio Server v.4.0.0, as some fixes had been issued after v.3.6.3.
The company was also told it could not contact Extensis “without an active contractual service agreement”. The researchers spent the month of August 2021 trying to contact the vendor through online forms, sales channels, and social media, only to be promised a security contact that never materialized. RECOMMENDED Critical vulnerabilities in Zabbix Web Frontend allow authentication bypass, RCE on servers In White Oak Security’s case, however, coordinated disclosure apparently proved to be difficult.
#HOW TO UPDATE PORTFOLIO EXTENSIS SOFTWARE#
When it comes to vulnerability disclosure, many cybersecurity firms offer a 90-day window for vendors to triage and patch vulnerabilities once they have been reported.ĭetails of the flaws will then be made public, even if in a redacted fashion – a practice aimed at encouraging organizations to fix security issues found in their software in a timely manner. It is not known if any of these vulnerabilities are being exploited in the wild.
#HOW TO UPDATE PORTFOLIO EXTENSIS ARCHIVE#
#HOW TO UPDATE PORTFOLIO EXTENSIS CODE#
The pen testers then examined the source code of Extensis Portfolio version 3.6.3 and found a total of five vulnerabilities that required immediate attention: This alleged zero-day was the first serious security flaw White Oak Security discovered. Read more of the latest infosec research news Take fiveĭuring an independent penetration test, the cybersecurity researchers uncovered an instance of the software, deployed online, with default administrator credentials in use.Īfter examining the security oversight further, the duo found they were able to achieve remote code execution (RCE) through an unrestricted file upload bug. On February 17, White Oak Security researchers Michael Rand and Talis Ozols publicly disclosed vulnerabilities in digital asset management software Extensis Portfolio.Įxtensis Portfolio comprises a user-facing main content management application, an administrator portal, and a content hosting application. Researchers have disclosed critical vulnerabilities in Extensis Portfolio, including a zero-day flaw that’s yet to be patched.
Extensis was described as ‘not receptive’ to disclosure and has allegedly not provided patches
0 kommentar(er)
