PT-2019-9449 · Kofax · Kofax Front Office Server Administration Console

Publicado

2019-04-18

Atualizado

2019-10-03

CVE-2018-17287

CVSS v3.1

4.9

Média

Vetor

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Kofax Front Office Server Administration Console version 4.1.1.11.0.5212

Description The issue allows for the exfiltration of sensitive information, such as passwords, which are obfuscated in the front-end but can be accessed in cleartext through the back-end. This can be achieved by utilizing the "download" feature, as shown by the mfp.password downloadsettingvalue operation.

Recommendations For Kofax Front Office Server Administration Console version 4.1.1.11.0.5212, consider restricting access to the back-end "download" feature to minimize the risk of sensitive information exfiltration. As a temporary workaround, avoid using the downloadsettingvalue operation for sensitive settings like mfp.password until a fix is available.

Exploit

Correção

Insufficient Verification of Data Authenticity

Missing Encryption of Sensitive Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-345CWE-311

Identificadores relacionados

CVE-2018-17287

Produtos afetados

Kofax Front Office Server Administration Console

PT-2019-9449 · Kofax · Kofax Front Office Server Administration Console

CVE-2018-17287

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3