CVE-2023-28441

smartCARS 3 Password Stored as plain text in Error Log

CVSS 8 HIGHEPSS 0.4%CWE-532

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

23 Mar 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

smartCARS 3 is flight tracking software. In version 0.5.8 and prior, all persons who have failed login attempts will have their password stored in error logs. This problem doesn't occur in version 0.5.9. As a workaround, delete the affected log file, and ensure one logs in correctly.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Affected products

invernyx · smartcars-3-bugs

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/invernyx/smartcars-3-bugs/security/advisories/GHSA-fp42-c8g2-5jc7