med0x2e · December 15, 2017 20:44
diff --git a/CVE-2017-11463 b/CVE-2017-11463
 [Suggested description]
 In LANDESK Management Suite 2016.4 and 2017.x, an Unrestricted
 Direct Object Reference leads to referencing/updating objects
 belonging to other users. In other words, a normal user
 can send requests to a specific URI with the
 target user's username in an HTTP payload in order to retrieve a
 key/token and use it to access/update objects belonging to other
 users. Such objects could be user profiles, tickets, incidents, etc.
 ------------------------------------------
 [Additional Information]
 Any authenticated user may take advantage of such insecure permission
 issue to access and update objects belonging to other users, such
 objects are and not limited to users' profiles, tickets, and incidents
 ..etc.
 ------------------------------------------
 [Vulnerability Type]
 Insecure Permissions
 ------------------------------------------
 [Vendor of Product]
 Landesk
 ------------------------------------------
 [Affected Product Code Base]
 LANDESK Management Suite - 2016.4, 2017.x
 ------------------------------------------
 [Affected Component]
 LANDESK Management suite objects such as user profiles, users' tickets and incidents and other possible objects.
 ------------------------------------------
 [Attack Type]
 Remote
 ------------------------------------------
 [Impact Denial of Service]
 true
 ------------------------------------------
 [Impact Escalation of Privileges]
 true
 ------------------------------------------
 [Impact Information Disclosure]
 true
 ------------------------------------------
 [CVE Impact Other]
 Updating other users profiles, Updating other users submitted tickets, incidents
 ------------------------------------------
 [Discoverer]
 Elazaar Mohamed
	[Suggested description]
	In LANDESK Management Suite 2016.4 and 2017.x, an Unrestricted
	Direct Object Reference leads to referencing/updating objects
	belonging to other users. In other words, a normal user
	can send requests to a specific URI with the
	target user's username in an HTTP payload in order to retrieve a
	key/token and use it to access/update objects belonging to other
	users. Such objects could be user profiles, tickets, incidents, etc.
	------------------------------------------
	[Additional Information]
	Any authenticated user may take advantage of such insecure permission
	issue to access and update objects belonging to other users, such
	objects are and not limited to users' profiles, tickets, and incidents
	..etc.
	------------------------------------------
	[Vulnerability Type]
	Insecure Permissions
	------------------------------------------
	[Vendor of Product]
	Landesk
	------------------------------------------
	[Affected Product Code Base]
	LANDESK Management Suite - 2016.4, 2017.x
	------------------------------------------
	[Affected Component]
	LANDESK Management suite objects such as user profiles, users' tickets and incidents and other possible objects.
	------------------------------------------
	[Attack Type]
	Remote
	------------------------------------------
	[Impact Denial of Service]
	true
	------------------------------------------
	[Impact Escalation of Privileges]
	true
	------------------------------------------
	[Impact Information Disclosure]
	true
	------------------------------------------
	[CVE Impact Other]
	Updating other users profiles, Updating other users submitted tickets, incidents
	------------------------------------------
	[Discoverer]
	Elazaar Mohamed