[CVE-2017-16632] SapphireIMS: Insecure storage of password

Description

In SapphireIMS 4097_1, the password in the database is stored in Base64 format.

CVSS 3.0 Base Score

4.4 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

CWE

CWE-261: Weak Cryptography for Passwords

Researcher

Tanoy Bose

POC

Look at the database

Vulnerability Tracker

Disclosure timelines

  • 14 Sept, 2017 - Informed vendor; No response
  • 15 Sept, 2017 - Informed CERT/CC
  • 26 Sept, 2017 - First follow up; No response
  • 30 Oct, 2017 - Second follow up; No response
  • 06 Nov, 2017 - Assigned CVE
Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.