Lleidanet PKI SL, the company behind the eSigna product, has identified and resolved vulnerabilities in the eSignaViewer component. These issues involve Path Traversal and Insecure Direct Object Reference (IDOR) vulnerabilities, both stemming from improper implementation of security controls. Exploiting these flaws, an attacker could manipulate inputs such as file paths and object identifiers to gain unauthorized access to potentially sensitive files without authentication. Path Traversal vulnerabilities allow attackers to craft malicious file paths to traverse directories and access restricted files. Similarly, the IDOR vulnerability arises from insufficient authorization checks on user-controlled object references, such as document IDs, enabling attackers to bypass permissions and access unauthorized resources.

Although the potential consequences of these vulnerabilities are not significant, they could still lead to unauthorized access to sensitive data and regulatory violations. To mitigate these risks, all affected versions of eSignaViewer have been upgraded to patched versions, as outlined below. In line with its commitment to best security practices, Lleidanet PKI has promptly released updates to address these issues by implementing stronger input validation and robust authorization controls.

Additionally, organizations are encouraged to adopt complementary security measures, such as logging suspicious activities, performing regular security audits, and monitoring for signs of potential exploitation. These practices will help enhance overall security and prevent similar vulnerabilities from being exploited in the future.

---

Affected Versions:

• 1.3.1 and earlier
• 1.4.3 and earlier
• 4.0.3 and earlier
• 4.1.2 and earlier
• 5.0.1 and earlier
• 5.1.1 and earlier
• 5.2.3 and earlier
• 5.3.2 and earlier
• 5.4.0 and earlier

Fixed Versions:

• 1.3.2
• 1.4.4
• 4.0.4
• 4.1.4
• 5.0.2
• 5.1.2
• 5.2.4
• 5.3.3
• 5.4.1

Users should immediately upgrade to the corresponding fixed version to eliminate these vulnerabilities and protect sensitive data from unauthorized access.

Acknowledgments

Lleidanet PKI thanks the following party for its efforts discovering and identifying this vulnerability:

• Pablo Alcarria, Pentester & Cybersecurity Analyst at Infoport Valencia SA