Last active
June 25, 2017 23:49
-
-
Save ari/e0dd74c12d84f102e3bcb365118e8c30 to your computer and use it in GitHub Desktop.
CVE-2017-9615
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Suggested description] | |
Password exposure in Cognito Software Moneyworks 8.0.3 ( http://cognito.co.nz/ ) and earlier allows | |
attackers to gain administrator access to all data, because verbose logging writes the administrator password to a world-readable file. | |
------------------------------------------ | |
[Additional Information] | |
1. Original issue discovered and notified to the vendor: 6 June 2017 | |
2. Vendor response acknowledging issue: 6 June 2017 | |
3. Vendor second response confirming they do not plan on fixing the issue: 12 June 2017 | |
4. I've confirmed again with the developer that they don't intend to fix this bug in the short term: 23 June 2017 | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Password exposure in logs | |
------------------------------------------ | |
[Vendor of Product] | |
Cognito Software | |
------------------------------------------ | |
[Affected Product Code Base] | |
Moneyworks - All versions up to 8.0.3 | |
------------------------------------------ | |
[Affected Component] | |
Moneyworks executable | |
------------------------------------------ | |
[Attack Type] | |
Local | |
------------------------------------------ | |
[Impact Escalation of Privileges] | |
true | |
------------------------------------------ | |
[Impact Information Disclosure] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
When logs are set to verbose, administrator passwords are logged to world readable files. | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Aristedes Maniatis |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment