Multiple Vulnerabilities Affecting Web-Based Court Case and Document Management Systems

CISA has assisted a researcher with coordinating the disclosure of multiple researcher-discovered vulnerabilities affecting web-based case and document management systems used by multiple state, county, and municipal courts. Affected systems include products from Tyler Technologies and Catalis and custom software used by specific counties in Florida. In summary, the vulnerabilities allow an unauthenticated, remote attacker to access sensitive documents by manipulating identifiers and file names in URLs. CISA understands that some of the vulnerabilities may have been mitigated. Further information is available in the researcher’s disclosure and a corresponding article.

CISA encourages users and administrators to apply security updates as they become available for the following vulnerabilities:

Vulnerability Description 

CVE-2023-6341

Catalis CM360 allows authentication bypass.

CVE-2023-6342

Tyler Technologies Court Case Management Plus "pay for print" allows authentication bypass.

CVE-2023-6343

Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server tssp.aspx allows authentication bypass.

CVE-2023-6344

Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server te003.aspx and te004.aspx allows authentication bypass.

CVE-2023-6352

Aquaforest TIFF Server default configuration allows access to arbitrary files.

CVE-2023-6353

Tyler Technologies Civil and Criminal Electronic Filing Upload.aspx allows authentication bypass.

CVE-2023-6354

Tyler Technologies Magistrate Court Case Management Plus PDFViewer.aspx allows authentication bypass.

CVE-2023-6375

Tyler Technologies Magistrate Court Case Management Plus stores backups insecurely.

CVE-2023-6376

Henschen & Associates court document management software cache uses predictable file names.

Read more... Alerts