MIDAS Security Advisory

The vulnerability could allow a MIDAS user with limited permissions to indirectly elevate the permissions assigned to their user account.

Our security team are not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Vulnerable Products

• MIDAS v4.26 (and earlier)
• MIDAS v4.27 (builds prior to 19th May 2021 @ 14:14 UTC)

Products Confirmed Not Vulnerable

• MIDAS v4.27 (builds from 19th May 2021 @ 14:14 UTC onwards)

• Self-hosted customers with active support subscriptions should update to the latest version of MIDAS v4.27 (or later) via MIDAS Admin Options → Manage MIDAS → Update.
• Self-hosted customers without active support subscriptions, but running an earlier build of MIDAS v4.27 should update to the latest build of MIDAS v4.27 via MIDAS Admin Options → Manage MIDAS → Update.
• Self-hosted customers without active support subscriptions running earlier versions of MIDAS should renew or purchase a subscription to be able to update to the latest version of MIDAS.
• Cloud-hosted customers: No further action required - Your MIDAS system is already running the latest version and build of MIDAS.

• 19th May 2021 11:45 - Initial report received
• 19th May 2021 12:15 - Report verified
• 19th May 2021 14:14 - Fix implemented
• 19th May 2021 14:17 - Fix rolled out to all cloud-hosted customers
• 19th May 2021 14:28 - Vulnerability confirmed resolved by initial reporter
• 19th May 2021 16:50 - Security Advisory issued

• The MIDAS Security Team would like to thank Mr. Shail Shah for reporting this issue to us.