Summaryinfo

A vulnerability identified as problematic has been detected in Misys FusionCapital Opics Plus. The impacted element is an unknown function. Performing a manipulation of the argument xmlMessageOut results in access control. This vulnerability is identified as CVE-2016-5654. The attack can be initiated remotely. There is not any exploit available.

Detailsinfo

A vulnerability was found in Misys FusionCapital Opics Plus (affected version not known). It has been classified as critical. This affects some unknown functionality. The manipulation of the argument xmlMessageOut with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Misys FusionCapital Opics Plus allows remote authenticated users to gain privileges via a man-in-the-middle attack that modifies the xmlMessageOut parameter.

The weakness was released 07/19/2016 (Website). The advisory is shared at kb.cert.org. This vulnerability is uniquely identified as CVE-2016-5654 since 06/16/2016. It is possible to initiate the attack remotely. A authentication is required for exploitation. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 92035†). Entries connected to this vulnerability are available at VDB-90140 and VDB-90142. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Misys

Name

• FusionCapital Opics Plus

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion