CVE-2018-15681

Name of the Vulnerable Software and Affected Versions BTITeam XBTIT version 2.5.4

Description An issue was discovered where the password hash of a user is rehashed using a predictable salt and stored in the pass cookie, which is not flagged as HTTPOnly. This allows an attacker who steals the cookie to efficiently brute-force it and retrieve the user's cleartext password.

Recommendations For BTITeam XBTIT version 2.5.4, consider disabling the storage of password hashes in the pass cookie until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. Avoid using predictable salts for password hashing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.