CVE-2021-42641: 
PrinterLogic Server vulnerability analysis and mitigation

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below contain an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2021-42641. This vulnerability allows an unauthenticated attacker to disclose the username and email address of all users in the system (NVD, SecurityWeek). The vulnerability was discovered in 2021 and patched in January 2022 with the release of version 19.1.1.13-SP10.

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, and primarily impacts confidentiality (NVD). The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere).

The vulnerability allows unauthorized access to sensitive user information, specifically enabling attackers to obtain usernames and email addresses of all users in the system. This exposure of personally identifiable information (PII) could lead to potential privacy violations and could be used as a stepping stone for further targeted attacks (SecurityWeek).

The vulnerability has been fixed in PrinterLogic Web Stack version 19.1.1.13-SP10. Organizations are advised to upgrade to this version or later to address the security issue. For Virtual Appliance users, no client software updates are required. PrinterLogic has also automatically pushed patches to its SaaS platform worldwide (SecurityWeek).