Incorrect Access Control in Omnis Studio 10.22.00: Bypassing Always Private Library Protection

Incorrect Access Control in Omnis Studio 10.22.00: Bypassing Always Private Library Protection

CVE-2023-38335 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Omnis Studio 10.22.00 has incorrect access control. It advertises a feature for making Omnis libraries "always private" - this is supposed to be an irreversible operation. However, due to implementation issues, "always private" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks. This violates the expected behavior of an "irreversible operation".

Learn more about our Web Application Penetration Testing UK.