SiteBastion 
Jason Parker (he/they)Disorder in the Court
Insufficient permission check vulnerabilities in public court record platforms from multiple vendors allowed unauthorized public access to sealed, confidential, unredacted, and/or otherwise restricted case documents. Affected documents include witness lists and testimony, mental health evaluations, child custody agreements, detailed allegations of abuse, corporate trade secrets, jury forms, and much more.
https://github.com/qwell/disorder-in-the-court
Catalis - CMS360 is used in Georgia, Mississippi, Ohio, and Tennessee. Catalis is a "government solutions" company that provides a wide array of public record, payment, and regulatory/compliance platforms.
Henschen & Associates - CaseLook is used in Ohio. Henschen & Associates did not respond after multiple reports.
Tyler Technologies - Court Case Management Plus is used in Georgia. In February 2022, a different Tyler Technologies court records platform had a similar vulnerability that allowed the website judyrecords.com to accidentally scrape sensitive data.
Five platforms used by individual courts in Florida -- Brevard County, Hillsborough County, Lee County, Monroe County, and Sarasota County -- are each presumed to be developed "in-house" by the county court.
While all of the platforms allowed unintended public access to restricted documents, the severity varied based on the levels of restrictions that could be bypassed and the discoverability of document IDs. The methods used to exploit each of the vulnerabilities also varied, but could all be performed by an unauthenticated attacker using only a browser's developer tools.
CVE-2023-6341, CVE-2023-6342, CVE-2023-6343, CVE-2023-6344, CVE-2023-6352, CVE-2023-6353, CVE-2023-6354, CVE-2023-6375, CVE-2023-6376
Note: Additional platforms from other vendors that are known to be vulnerable will be included in future disclosures.
