CISA has assisted a researcher with coordinating the disclosure of multiple researcher-discovered vulnerabilities affecting web-based case and document management systems used by multiple state, county, and municipal courts. Affected systems include products from Tyler Technologies and Catalis and custom software used by specific counties in Florida. In summary, the vulnerabilities allow an unauthenticated, remote attacker to access sensitive documents by manipulating identifiers and file names in URLs. CISA understands that some of the vulnerabilities may have been mitigated. Further information is available in the researcher’s disclosure and a corresponding article.
CISA encourages users and administrators to apply security updates as they become available for the following vulnerabilities:
Vulnerability | Description |
---|---|
Catalis CM360 allows authentication bypass. |
|
Tyler Technologies Court Case Management Plus “pay for print” allows authentication bypass. |
|
Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server tssp.aspx allows authentication bypass. |
|
Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server te003.aspx and te004.aspx allows authentication bypass. |
|
Aquaforest TIFF Server default configuration allows access to arbitrary files. |
|
Tyler Technologies Civil and Criminal Electronic Filing Upload.aspx allows authentication bypass. |
|
Tyler Technologies Magistrate Court Case Management Plus PDFViewer.aspx allows authentication bypass. |
|
Tyler Technologies Magistrate Court Case Management Plus stores backups insecurely. |
|
Henschen & Associates court document management software cache uses predictable file names. |