CVE-2024-36497

Unhashed Storage of Password

CVSS 9.1 CRITICALEPSS 0.5%CWE-312

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.1EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

24 Jun 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect entirely.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

Faronics · WINSelect (Standard + Enterprise)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2024/Jun/12 https://r.sec-consult.com/winselect https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes