PT-2023-20006 · Stimulsoft · Stimulsoft Designer+1

Bsc

Publicado

2023-03-27

Atualizado

2023-04-03

CVE-2023-25263

CVSS v3.1

5.5

Média

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Stimulsoft Designer (Desktop) versions 2023.1.4 through 2023.1.5

Description The issue allows an attacker to decrypt connection strings stored in .mrt files by decompiling the Stimulsoft.report.dll, as it uses a static secret that does not differ between versions or operating systems.

Recommendations For versions 2023.1.4 and 2023.1.5, consider restricting access to the Stimulsoft.report.dll file to prevent decompilation until a patch is available. As a temporary workaround, avoid storing sensitive connection strings in .mrt files for these versions.

Exploit

Correção

Cleartext Storage of Sensitive Information

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-312

Identificadores relacionados

CVE-2023-25263

Produtos afetados

Stimulsoft Designer

Stimulsoft.Report.Dll

PT-2023-20006 · Stimulsoft · Stimulsoft Designer+1

CVE-2023-25263

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5