Security vulnerabilities in aQrate
I. Summary of the security vulnerabilities
Four security risks were identified for the aQrate web application:
- Disclosure of user information: In environments where aQrate is used, non-administrators may obtain usernames and passwords managed by the aQrate Print Server.
- Print Server file list disclosure: In environments where aQrate is used via the browser, the directory structure of aQrate Print Server and Central Server can be viewed.
- User Information Disclosure: In environments where aQrate is used, non-administrators can access the user list managed by aQrate Print Server and Central Server via API.
- Remote Code Execution: In environments where aQrate is used, remote code can be executed in Print Server without privileges. CVE-2021-31769
At the time of this publication, we are not aware of any attacks that exploit these vulnerabilities.
II. Solution description
The IT security of customers is a top priority for Utax. Updated software is available to close the security gaps. For the greatest possible protection, we recommend updating to the latest version 8.2 (Print Server/Central Server).