Mco
Monthly
Unrestricted file upload in MyComplianceOffice MCO version 25.3.3.1 allows an authenticated low-privileged attacker to upload files of arbitrary types by bypassing client-side-only validation controls. The CVSS 4.0 vector confirms network-accessible exploitation with low complexity, requiring only a valid low-privileged account and a web proxy to intercept and modify upload requests. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
User enumeration in MyComplianceOffice (MCO) version 25.3.3.1 allows unauthenticated remote attackers to identify valid usernames and email addresses by observing distinguishable application responses from the password reset and username reminder endpoints. The CWE-204 Observable Response Discrepancy root cause means account existence is leaked through differential error messages, status codes, or redirect behavior - classic reconnaissance fodder for follow-on credential stuffing or targeted phishing against compliance personnel. No public exploit code has been identified and no CISA KEV listing exists; however, vendor contact was unsuccessful, leaving patch status unresolved and version scope uncertain beyond the confirmed 25.3.3.1 release.
Stored XSS in MyComplianceOffice MCO version 25.3.3.1 allows a privileged attacker with logo-upload rights to plant malicious JavaScript inside a crafted SVG file that executes in any user's browser when the application logo is rendered. Reported by CERT-PL, vendor contact was unsuccessful, leaving no official patch or advisory in place. No public exploit code has been identified at time of analysis, though the SVG-based XSS technique is well-documented and trivially replicable against unpatched instances.
Path traversal and path disclosure in MyComplianceOffice MCO's file handling functionality expose authenticated high-privilege users' ability to write files to arbitrary server locations and leak absolute server paths through error messages. Confirmed in version 25.3.3.1 via CERT-PL research, with other versions potentially affected given unsuccessful vendor contact. No public exploit code or active exploitation identified at time of analysis; the high privilege prerequisite (PR:H) substantially constrains real-world attack surface.
MCO's compliance management platform exposes administrator ACL tree structures to any authenticated low-privileged user via a missing authorization check on the `/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure` web API endpoint. Confirmed by CERT-PL in version 25.3.3.1, the flaw allows low-privileged users to retrieve permission hierarchies and internal configuration details intended only for administrators. No active exploitation has been identified, no public exploit code exists, and vendor contact attempts were unsuccessful, leaving the patch timeline and full version impact unresolved.
Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.
Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve trading document PDFs belonging to other customers by manipulating a user-supplied document identifier at the fetchPdfStatement API endpoint. The application performs no ownership or authorization check beyond confirming the user is logged in, enabling horizontal privilege escalation across customer accounts. No public exploit code or active exploitation has been identified at time of analysis, but predictable document ID patterns make automated enumeration feasible, raising real-world risk in financial compliance environments where trading statements contain sensitive regulatory and transactional data.
Privilege escalation in MyComplianceOffice (MCO) compliance platform version 25.3.3.1 lets an authenticated user add themselves to arbitrary groups via the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint, which fails to enforce authorization on group changes. By supplying a valid group ID - obtainable through the application's own group picker API or guessable via brute force - a low-privileged account can inherit the permissions of higher-privileged groups. Reported by CERT-PL; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Unrestricted file upload in MyComplianceOffice MCO version 25.3.3.1 allows an authenticated low-privileged attacker to upload files of arbitrary types by bypassing client-side-only validation controls. The CVSS 4.0 vector confirms network-accessible exploitation with low complexity, requiring only a valid low-privileged account and a web proxy to intercept and modify upload requests. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
User enumeration in MyComplianceOffice (MCO) version 25.3.3.1 allows unauthenticated remote attackers to identify valid usernames and email addresses by observing distinguishable application responses from the password reset and username reminder endpoints. The CWE-204 Observable Response Discrepancy root cause means account existence is leaked through differential error messages, status codes, or redirect behavior - classic reconnaissance fodder for follow-on credential stuffing or targeted phishing against compliance personnel. No public exploit code has been identified and no CISA KEV listing exists; however, vendor contact was unsuccessful, leaving patch status unresolved and version scope uncertain beyond the confirmed 25.3.3.1 release.
Stored XSS in MyComplianceOffice MCO version 25.3.3.1 allows a privileged attacker with logo-upload rights to plant malicious JavaScript inside a crafted SVG file that executes in any user's browser when the application logo is rendered. Reported by CERT-PL, vendor contact was unsuccessful, leaving no official patch or advisory in place. No public exploit code has been identified at time of analysis, though the SVG-based XSS technique is well-documented and trivially replicable against unpatched instances.
Path traversal and path disclosure in MyComplianceOffice MCO's file handling functionality expose authenticated high-privilege users' ability to write files to arbitrary server locations and leak absolute server paths through error messages. Confirmed in version 25.3.3.1 via CERT-PL research, with other versions potentially affected given unsuccessful vendor contact. No public exploit code or active exploitation identified at time of analysis; the high privilege prerequisite (PR:H) substantially constrains real-world attack surface.
MCO's compliance management platform exposes administrator ACL tree structures to any authenticated low-privileged user via a missing authorization check on the `/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure` web API endpoint. Confirmed by CERT-PL in version 25.3.3.1, the flaw allows low-privileged users to retrieve permission hierarchies and internal configuration details intended only for administrators. No active exploitation has been identified, no public exploit code exists, and vendor contact attempts were unsuccessful, leaving the patch timeline and full version impact unresolved.
Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.
Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve trading document PDFs belonging to other customers by manipulating a user-supplied document identifier at the fetchPdfStatement API endpoint. The application performs no ownership or authorization check beyond confirming the user is logged in, enabling horizontal privilege escalation across customer accounts. No public exploit code or active exploitation has been identified at time of analysis, but predictable document ID patterns make automated enumeration feasible, raising real-world risk in financial compliance environments where trading statements contain sensitive regulatory and transactional data.
Privilege escalation in MyComplianceOffice (MCO) compliance platform version 25.3.3.1 lets an authenticated user add themselves to arbitrary groups via the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint, which fails to enforce authorization on group changes. By supplying a valid group ID - obtainable through the application's own group picker API or guessable via brute force - a low-privileged account can inherit the permissions of higher-privileged groups. Reported by CERT-PL; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.