Security Insight: Read our blog post on the evolution of Password Storage in MIDAS

Our response to CVE-2009-2231

In June 2009 a security researcher going by the handle "HxH" published details of a supposed vulnerability affecting our public demo site. This was published under CVE-2009-2231.

Whilst no attempt was made by the researcher to reach out to us and responsibly disclose his findings prior to public publication, we do not believe this vulnerability to be valid. Furthermore we dispute the assigned CVSS (Common Vulnerability Scoring System) score of 7.5.

The supposed vulnerability allowed a user to bypass the login screen for our software's public demo. However, we already publicly listed the credentials users could use to login to the demo on the login page itself. These demo credentials were as such already knowingly and intentionally in the public domain.

Therefore, at no time did this supposed "exploit" disclose any sensitive information. Nor did it allow an "attacker" to gain any form of elevated level of access to our public demo. It also did not affect any of our customer's MIDAS systems.