Vangene deltaFlow E-platform - Broken Authentication

Vulnerability

The Vangene deltaFlow E-platform (version 4) does not properly protect user authentication data stored in cookies. The application relies on a specific cookie to determine the user's identity and privileges, but fails to verify the integrity of that cookie, enabling an authentication bypass. Attackers can modify the cookie value to impersonate any user, including those with administrative permissions. This issue is identified as CVE-2021-28171 [1][2].

Exploitation

An attacker only needs network access to the deltaFlow E-platform and the ability to send HTTP requests. No prior authentication or user interaction is required. By simply tampering with the value of the authentication cookie (e.g., changing a user ID or role field), the attacker can forge a valid session and elevate privileges remotely [1][2].

Impact

Successful exploitation gives the attacker the ability to authenticate as any user on the system, including privileged accounts. This leads to unauthorized access to sensitive data, the ability to modify workflows and configurations, and potential full control over the affected deltaFlow instance. The compromise directly affects confidentiality, integrity, and availability [1][2].

Mitigation

The vendor (Vangene / 敦群數位科技) has not yet released a fixed version as of the publication date. The only mitigation mentioned in the references is to apply vendor-provided updates when they become available. Administrators should monitor vendor advisory channels for patch announcements and, if possible, restrict network access to the platform until a fix is deployed [1][2].