SMAX/AMX VULNERABILITY Submit Ideas on behalf of other users


Product & Service Introduction:

OpenText SMAX is comprehensive service management software that delivers efficient IT Service Management (ITSM), IT Asset Management (ITAM), and Enterprise Service Management (ESM). Powered by embedded analytics and machine learning, it is easy to use, easy to extend, and easy to run anywhere.

Technical Description:

A security vulnerability exists within the ITSM component of OpenText SMAX. This vulnerability, stemming from an authorization flaw, permits authenticated users to submit Ideas under the names of other users without the necessary permissions. The system’s integration with Active Directory, which assigns unique IDs to each user, does not adequately verify the authorization of the submitting user.

Steps to Reproduce:

Initiate the Submission Process: Log into the ITSM System using your account and select “Suggest idea.”

Intercept and Modify the Request: Using a proxy tool intercept the submission request.

Impersonate a Target: Modify the User ID field with your target’s unique ID and forward the request.

Post-submission, the target user doesn’t receive any notification, keeping them unaware.

Solution – Fix & Patch:

Micro Focus has made the following mitigation information available to resolve the vulnerability for the impacted versions of SMAX/AMX:

  • SMAX 2023.05

  • AMX 2023.05
If updating to the 2023.05 version is impossible, please click the link below to apply an alternative solution immediately.