Skip to main content
Skip table of contents

2021 01 25 - P3 Security issue (Hidden Items)

A security vulnerability was recently identified and fixed in Elements Connect. Here are the details about the issue, its impact and the analysis and actions taken.

Nature of the issue

The vulnerability affected version 1.1.3-AC of Elements Connect.
The vulnerability meant that any logged in user could access hidden items values when creating or displaying a request on the portal.
This vulnerability has been rated as low, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was detected by internal investigations on .

Impact

This vulnerability if exploited, would lead to data exposition but could not lead to data modification.

Analysis and actions taken

Once we detected the issue, a plan was elaborated by the IT team to analyse the situation, bring a fix for the issue and deploy it as quickly as possible.
Our investigations revealed that the problem was caused by a homogeneous management of Connected items, when hidden items should have been handled aside.

We differentiated the management of hidden Connected item so as to avoid sending any of their data on the portal.

Deployment of the fixed version was conducted by following the usual CI procedure on .
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-841".

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.