Vulnerability Management Policy – FileGPS
The IANN FileGPS product follows a tailored vulnerability management process aligned with the organization’s overall Vulnerability Management Policy. This process is designed to identify, assess, mitigate, and monitor security vulnerabilities specific to the FileGPS product environment.
The FileGPS product team follows a proactive security lifecycle in every version release of the product that includes:
| Impact | Priority | No. of days |
|---|---|---|
| Critical | P1 | Immediate |
| High | P2 | 14 Days |
| Medium | P3 | 30 Days |
| Low | P4 | 90 Days |
The FileGPS product team, in coordination with the Application Security Team and IT Security, ensures for every release that:
When a vulnerability is identified that may impact customers:
The FileGPS environment is continuously monitored through security tools and log analysis. The product team subscribes to vulnerability feeds and actively tracks third-party component disclosures to ensure timely action on relevant threats.
An annual penetration test is conducted specifically for the FileGPS product to simulate real-world attacks and uncover potential security flaws. The most recent penetration test was completed in January 2025, and a comprehensive Pen Test Report is available. Findings from the report were reviewed by the product and security teams and remediated according to organizational timelines. Attaching the report here for review:
From December 20th, 2024, to January 17th, 2025, PragmaEdge Inc, engaged our Security Team to evaluate the security posture of its infrastructure compared to current industry best practices, which included an internal network penetration test. All testing performed is based on the OWASP Testing Guide (v4), and customized testing frameworks.
Internal Penetration Test
An internal penetration test emulates the role of an attacker from inside the network. An engineer will scan the network to identify potential host vulnerabilities and perform common and advanced internal network attacks, such as: checking the SSL certificates, port scanning to check the vulnerable ports including their version numbers, exploitation using Metasploit, token impersonation, pass-the-hash, etc,..
The following table defines levels of severity, and corresponding CVSS score range used throughout the document to assess vulnerability and risk impact.
Severity | CVSS V3 Score Range | Definition |
Critical |
9.0-10.0 | Exploitation is straightforward and usually results in system-level compromise. It is advised to form a plan of action and patch immediately. |
High |
7.0-8.9 | Exploitation is more difficult but could cause elevated privileges and potentially a loss of data or downtime. It is advised to form a plan of action and patch as soon as possible. |
Moderate |
4.0-6.9 | Vulnerabilities exist but are not exploitable or require extra steps such as social engineering. It is advised to form a plan of action and patch after high-priority issues have been resolved. |
Low |
0.1-3.9 | Vulnerabilities are non-exploitable but would reduce an organization’s attack surface. It is advised to form a plan of action and patch during the next maintenance window. |
|
| No vulnerability exists. Additional information is provided regarding items noticed during testing, strong controls, and additional documentation. |
Informati onal | N/A |
|
Risk is measured by the factor: Impact
Impact
Impact measures the potential vulnerability’s effect on operations, including confidentiality, integrity, and availability of client systems and/or data, reputational harm, and financial loss
Assessment | Details |
Internal Penetration Test |
Our Security Team did not perform any of the following attacks during testing:
Important Note: PragmaEdge Inc Security Team have deployed their testing tools in the server taken for penetration testing.
Our Security Team evaluated internal security posture through penetration testing from December 20th, 2024, to January 17th, 2025. The following sections provide a high-level overview of vulnerabilities discovered, successful and unsuccessful attempts, and strengths and weaknesses.
The network assessment evaluated PragmaEdge Internal network security posture of our products. From an internal perspective, Our Security Team performed vulnerability scanning against all IPs hosted on production environment to evaluate the overall patching health of the network. The team also performed common Active Directory based attacks, SSL test attacks and SMB relaying. Beyond vulnerability scanning and Active Directory attacks, the team evaluated other potential risks, such as open file shares, default credentials on servers/devices, and sensitive information disclosure to gain a complete picture of the network’s security posture.
Our Security Team summarized the overall security posture as below:
The following identifies the key strengths identified during the assessment:
The following tables illustrate the vulnerabilities found by impact and recommended remediations:
Initial Internal Penetration Test Findings
1 |
1
|
1
|
7 |
1 |
Critical | High | Medium | Low | Informational |
Finding | Severity | Recommendation |
Finding IPT-001: Account Takeover – Allocation of Resources Without Limits or Throttling | Critical | Implement rate limiting on OTP validation requests to restrict the number of attempts from a single IP address or account within a defined timeframe. Additionally, enforce exponential backoff for repeated failed attempts to prevent brute-force attacks. |
Finding IPT-002: No rate limiting on Forgot Password feature on the application – Improper Authorization | High | To mitigate this issue developers should implement a timeout after a number of requests in a period of time or implement the strong CAPTCHA mechanism on the forgot password page. |
Finding IPT-003: Email Enumeration through brute force attacks on Forgot Password feature in the application – Allocation | Medium | Implement rate limiting on forgot password functionality attempts to prevent brute-force attacks. Block IP addresses that are known to be involved in malicious activity. |
of Resources Without Limits or Throttling |
| Ensure the application returns consistent generic error messages in response to invalid email during the forgot password process. |
Finding IPT-004: No Input Validation- Insecure design | Low | Implement a check for duplicate names during registration. Remove any special characters or malformed data from the email address. Implement input validation. Sanitize the input data. |
Finding IPT-005: Unauthorized logouts – Improper Access Control | Low |
Implement token validation and verification mechanisms to ensure that only authorized users can delete authentication tokens associated with their own accounts. |
Finding IPT-006: Weak Password Policy – Weak Password Requirements | Low | Require passwords to be at least 12 characters long. Enforce password complexity: Require passwords to include: At least one uppercase letter At least one lowercase letter At least one number At least one special character (!, @, #, $, etc.) |
Finding IPT-007: User Interface access change – Incorrect Authorization | Low | Implement validation checks to ensure that users have the necessary permissions before access the User Interface (UI). |
Finding IPT-008: Business Logic Vulnerabilities- Insufficient Session Expiration | Low | Implement a mechanism to log out disabled user’s account when it is disabled by a super admin. |
Finding IPT-009: Business Logic Vulnerabilities – Insufficient Session Expiration | Low | Implement a mechanism to log out disabled user’s account when it is disabled by a super admin. |
Finding IPT-010: Host Header Injection in Email Activation Links – | Low |
|
Improper Neutralization of HTTP Headers for Scripting Syntax |
| generate links dynamically based on request headers. • Use a predefined, secure domain from the application’s configuration
|
Finding IPT-011: Inadequate Email Input Validation – Improper Validation of Specified Type of Input | Low | Ensure email addresses are normalized by removing aliasing characters (+ and anything after it before @) before processing. |
Finding IPT-012: Excess data exposure – Exposure of Sensitive System Information to an Unauthorized Control Sphere | Informational | Need to remove application endpoints in main.js file and sso link in the active-profile endpoint. |
Finding | Severity | Recommendation | Current Status |
Finding IPT-001: Account Takeover – Allocation of Resources Without Limits or Throttling | Critical | Implement rate limiting on OTP validation requests to restrict the number of attempts from a single IP address or account within a defined timeframe. Additionally, enforce exponential backoff for repeated failed attempts to prevent brute-force attacks. | Fixed |
Finding IPT-002: No rate limiting on Forgot Password feature on the application – Improper Authorization | High | To mitigate this issue developers should implement a timeout after a number of requests in a period of time or implement the strong CAPTCHA mechanism on the forgot password page. | Fixed |
Finding IPT-003: Email Enumeration through brute force attacks on Forgot Password feature in the application – Allocation of | Medium | Implement rate limiting on forgot password functionality attempts to prevent brute-force attacks. Block IP addresses that are known to be involved in malicious activity. Ensure the application returns consistent generic error messages in response to invalid email during the forgot password process. | Fixed |
Resources Without Limits or Throttling |
|
|
|
Finding IPT-004: No Input Validation- Insecure design | Low | Implement a check for duplicate names during registration. Remove any special characters or malformed data from the email address. Implement input validation. Sanitize the input data. | Fixed |
Finding IPT-005: Unauthorized logouts – Improper Access Control | Low |
Implement token validation and verification mechanisms to ensure that only authorized users can delete authentication tokens associated with their own accounts. | Fixed |
Finding IPT-006: Weak Password Policy – Weak Password Requirements | Low | Require passwords to be at least 12 characters long. Enforce password complexity: Require passwords to include: At least one uppercase letter At least one lowercase letter At least one number At least one special character (!, @, #, $, etc.) | Fixed
|
Finding IPT-007: User Interface access change – Incorrect Authorization | Low | Implement validation checks to ensure that users have the necessary permissions before access the User Interface (UI). | Fixed
|
Finding IPT-008: Business Logic Vulnerabilities- Insufficient Session Expiration | Low | Implement a mechanism to log out disabled user’s account when it is disabled by a super admin. | Fixed |
Finding IPT-009: Business Logic Vulnerabilities – Insufficient Session Expiration | Low | Upon changing a user’s role, terminate all active sessions for that user. This ensures that the user cannot access the previous role or its permissions. | Fixed |
Finding IPT-010: Host Header | Low | • Reject requests with unexpected Host headers. Use an allowlist of trusted domains. | In Progress |
Injection in Email Activation Links – Improper Neutralization of HTTP Headers for Scripting Syntax |
|
Links. Do not generate links dynamically based on request headers.
|
|
Finding IPT-011: Inadequate Email Input Validation – Improper Validation of Specified Type of Input | Low | Ensure email addresses are normalized by removing aliasing characters (+ and anything after it before @) before processing. | Fixed |
Finding IPT-012: Excess data exposure – Exposure of Sensitive System Information to an Unauthorized Control Sphere | Informational | Need to remove application endpoints in main.js file and SSO 02link in the active-profile endpoint. | Fixed
|
In conclusion, after thorough examination and testing, we are pleased to report that the target products/systems under assessment contains low-level impactful vulnerabilities, and we recommend our Development Team to work on patching the reported vulnerabilities regularly with dedicated efforts. We appreciate the collaborative effort and commitment to security demonstrated by our Development and Product Support Teams throughout this process. This outcome highlights the importance of regular security assessments and proactive measures in maintaining a robust and secure environment.
In summary, the target application has demonstrated a high level of security, and no immediate actions are required based on the findings of this pentest report and we recommend our Development Team to fix the vulnerabilities categorized under “In Progress” on priority and to maintaining a vigilant approach to cybersecurity to ensure the ongoing protection of the organization’s assets and data.
Likely Attack Scenarios:
Bruteforcing the filepaths, Account takeovers through host header injection if admin account is accessed which can also lead to unauthorized access to user accounts.
Implications:
Based on the above testing activities, the average risk level across the board is LOW. We suggest the team to implement the below measures regularly for improving the security posture:
References: