Full Report
CERT Polska has received a report about 8 vulnerabilities (from CVE-2026-53902 to CVE-2026-53909) found in MyComplianceOffice MCO software.
Analysis Summary
# Vulnerability: Multiple Flaws in MyComplianceOffice (MCO)
## CVE Details
- **CVE ID:** CVE-2026-53902 through CVE-2026-53909
- **CVSS Score:** Not explicitly provided in the source (Estimated High/Critical based on Privilege Escalation and Path Traversal)
- **CWE:**
- CWE-266 (Incorrect Privilege Assignment)
- CWE-639 (Authorization Bypass Through User-Controlled Key)
- CWE-307 (Improper Restriction of Excessive Authentication Attempt)
- CWE-863 (Incorrect Authorization)
- CWE-22 (Path Traversal)
- CWE-79 (Stored XSS)
- CWE-204 (Observable Response Discrepancy)
- CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:** MyComplianceOffice (MCO) software
- **Versions:** 25.3.3.1 (Confirmed); other versions may also be affected.
- **Configurations:** Default installations of the MCO web platform.
## Vulnerability Description
A total of eight vulnerabilities were identified in the MCO platform, ranging from authorization bypasses to file handling flaws:
- **Privilege Escalation (CVE-2026-53902):** Lack of authorization checks on the `group-membership` endpoint allows users to add themselves to arbitrary groups.
- **IDOR / Data Access (CVE-2026-53903):** Authorization bypass via user-controlled keys.
- **Brute Force (CVE-2026-53904):** Improper restriction of authentication attempts during security question prompts.
- **Auth Bypass (CVE-2026-53905):** Authenticated users can access admin-level ACL tree structures.
- **Path Traversal (CVE-2026-53906):** Improper validation of `filename` parameters allows writing files to arbitrary locations and discloses absolute server paths.
- **Stored XSS (CVE-2026-53907):** Malicious SVG files can be uploaded as application logos to execute JavaScript.
- **User Enumeration (CVE-2026-53908):** Distinguishable responses in password reset/username reminder features allow for account harvesting.
- **Unrestricted Upload (CVE-2026-53909):** Reliance on client-side validation allows the upload of dangerous file types by low-privileged users.
## Exploitation
- **Status:** PoC described in report; no confirmation of active exploitation in the wild.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Web-based)
## Impact
- **Confidentiality:** High (Access to ACL structures, user enumeration, and sensitive data via IDOR)
- **Integrity:** High (Modification of group memberships and arbitrary file writes)
- **Availability:** Medium (Potential for system instability via path traversal/file writes)
## Remediation
### Patches
- **Status:** No official patches currently listed. CERT Polska noted that vendor contact attempts were unsuccessful.
### Workarounds
- Implement server-side validation for all file uploads.
- Restrict file permissions for the application user to prevent arbitrary writes to system directories.
- Use a Web Application Firewall (WAF) to filter path traversal patterns (e.g., `../`) and malicious SVG uploads.
- Disable or limit the "Application Logo" change functionality to administrative users only.
## Detection
- **Indicators of Compromise:**
- Unexpected changes in group memberships in application logs.
- Presence of SVG files containing `<script>` tags in the application logo directories.
- Large volumes of requests to `/customer/servlet/mco/webapi/admin-view-hierarchy/`.
- **Detection methods:** Monitor web server access logs for directory traversal sequences and unusual IDOR patterns in API requests.
## References
- CERT Polska Advisory: [hxxps://cert[.]pl/en/posts/2026/07/vulnerabilities-in-mycomplianceoffice/](https://cert.pl/en/posts/2026/07/vulnerabilities-in-mycomplianceoffice/)
- CVE Records: [hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-53902](https://www.cve.org/CVERecord?id=CVE-2026-53902) (and through 53909)