[CVE-2020-25561] SapphireIMS: Hardcoded credentials

Description

It was observed that SapphireIMS utilized default sapphire:ims credentials to connect the client to server. This credential is saved in ServerConf.config file in the client.

CVSS 3.0 Base Score

4.4 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Researcher

Tanoy Bose

POC

Hardcoded Credentials

Vulnerability Tracker

Disclosure timelines

  • 07 May, 2020 - Vendor informed; failed
  • 16 Sept, 2020 - Cert-CC and Cert-In Informed
Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.