CVE
- Id
- 1152
- CVE No.
- CVE-1999-1172
- Status
- Candidate
- Description
- By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared.
- Phase
- Proposed (20010912)
- Votes
- MODIFY(1) Frech | NOOP(3) Cole, Foat, Wall | REVIEWING(1) Christey
- Comments
- Christey> The discloser does not provide enough details to fully | understand what the problem is. This makes it difficult | because if Maximizer has a concept of "users" and it is | designed to allow any user to modify any other user"s data, | then this would not be a vulnerability or exposure, unless | that "cross-user" capability could be used to violate system | integrity, data confidentiality, or the like. There are some | features of Maximizer 6.0 that, if abused, could allow someone | to do some bad things. For example, an attacker could modify | the email addresses for contacts to redirect sales to | locations besides the customer. There"s also a capability of | assigning priorities and alarms, which could be susceptible to | an "inconvenience attack" at the very least, as well as | tie-ins to e-commerce capabilities. | | The critical question becomes: "how is this data shared" in | the first place? If it"s through a network share or other | distribution method besides transferring the complete database | between sites, then this may be accessible to any attacker who | can mimic a Maximizer client (if there is such a thing as a | client), and this could be a vulnerability or exposure | according to the CVE definition. | | However, since the Maximizer functionality is unknown to me | and not readily apparent from product documentation, it"s hard | to know what to do about this one. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:maximizer-enterprise-calendar-modification(7590)
