Lucene search

SEC-VLabCVE-2024-36497

HistoryJun 24, 2024 - 9:15 a.m.

CVE-2024-36497

2024-06-2409:15:09

CWE-312

SEC-VLab

web.nvd.nist.gov

password

configuration

winselect

cleartext

restrictions

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

Percentile

15.6%

JSON

The decrypted configuration file contains the password in cleartext
which is used to configure WINSelect. It can be used to remove the
existing restrictions and disable WINSelect entirely.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "WINSelect (Standard + Enterprise)",
    "vendor": "Faronics",
    "versions": [
      {
        "status": "unaffected",
        "version": "8.30.xx.903",
        "versionType": "custom"
      }
    ]
  }
]

References

seclists.org/fulldisclosure/2024/Jun/12

r.sec-consult.com/winselect

www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

Percentile

15.6%

JSON

Related for CVE-2024-36497