PT-2019-9449 · Kofax · Kofax Front Office Server Administration Console
Published
2019-04-18
·
Updated
2019-10-03
·
CVE-2018-17287
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Kofax Front Office Server Administration Console version 4.1.1.11.0.5212
Description
The issue allows for the exfiltration of sensitive information, such as passwords, which are obfuscated in the front-end but can be accessed in cleartext through the back-end. This can be achieved by utilizing the "download" feature, as shown by the
mfp.password downloadsettingvalue operation.Recommendations
For Kofax Front Office Server Administration Console version 4.1.1.11.0.5212, consider restricting access to the back-end "download" feature to minimize the risk of sensitive information exfiltration. As a temporary workaround, avoid using the
downloadsettingvalue operation for sensitive settings like mfp.password until a fix is available.Exploit
Fix
Insufficient Verification of Data Authenticity
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kofax Front Office Server Administration Console