Omar A. Crespo

**Name of the Vulnerable Software and Affected Versions** Entrust Instant Financial Issuance (On Premise) Software versions 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier **Description** The issue concerns a configuration file, specifically `WebAPI.cfg.xml`, which is left behind after the installation process. This file can be accessed without authentication on HTTP port 80 by guessing the correct IIS webroot path. It contains system configuration parameter names and values, including sensitive configuration values that are encrypted. **Recommendations** For versions 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier, consider restricting access to the `WebAPI.cfg.xml` file to prevent unauthorized access until a patch is available. As a temporary workaround, restrict access to the HTTP port 80 to minimize the risk of exploitation. Avoid using guessable IIS webroot paths for sensitive configuration files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Entrust Instant Financial Issuance (formerly known as Cardwizard) versions 6.8.x and earlier, 6.9.0, 6.9.1, 6.9.2, 6.10.0 **Description** The issue concerns the use of a DLL library with a custom AES encryption process that relies on static hard-coded key values, which are not uniquely generated per installation of the software. This, combined with an encrypted password obtainable from "WebAPI.cfg.xml", makes decryption trivial and can lead to privilege escalation on the Windows host. **Recommendations** For versions 6.8.x and earlier, 6.9.0, 6.9.1, 6.9.2, 6.10.0, consider updating to a version that does not use static hard-coded key values for AES encryption, or temporarily restrict access to the DCG.Security.dll library until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.