PT-2023-20006 · Stimulsoft · Stimulsoft Designer+1

Bsc

Published

2023-03-27

Updated

2023-04-03

CVE-2023-25263

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Stimulsoft Designer (Desktop) versions 2023.1.4 through 2023.1.5

Description The issue allows an attacker to decrypt connection strings stored in .mrt files by decompiling the Stimulsoft.report.dll, as it uses a static secret that does not differ between versions or operating systems.

Recommendations For versions 2023.1.4 and 2023.1.5, consider restricting access to the Stimulsoft.report.dll file to prevent decompilation until a patch is available. As a temporary workaround, avoid storing sensitive connection strings in .mrt files for these versions.

Exploit

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2023-25263

Affected Products

Stimulsoft Designer

Stimulsoft.Report.Dll

PT-2023-20006 · Stimulsoft · Stimulsoft Designer+1

CVE-2023-25263

Weakness Enumeration

Related Identifiers

Affected Products

References · 5