CVE-2009-0809

Vulnerability

The Web Editor component in Dassault Systemes ENOVIA SmarTeam V5 before Release 18 Service Pack 8 (and possibly CATIA) fails to enforce access controls when viewing the profile card of a document object. A remote authenticated user who does not have permission to a document class can still view the profile card if they receive a direct link from the object's owner. The vulnerability exists because the link bypasses the permission check for the profile card view, although the actual document viewer still enforces authorization [1].

Exploitation

An attacker must be an authenticated user of the Web Editor. The attack requires the owner of a document object (who has permission to the document class) to send a link to the attacker via the email icon in the Web Editor. The attacker then clicks the link and can view the profile card of the object, even though the attacker has no access rights to that document class. The attacker cannot view the document content itself, as the viewer returns an unauthorized error [1].

Impact

Successful exploitation allows an authenticated attacker to read the profile card (metadata) of a document object that they are not authorized to access. This results in information disclosure of potentially sensitive metadata. The actual document content remains protected. The attacker gains no additional privileges beyond their existing authenticated session [1].

Mitigation

The issue is fixed in SmarTeam V5 Release 18 Service Pack 8 (SP08). Users should upgrade to this version or later. No workaround is documented in the available reference [1].