PT-2023-25335 · Ysoft · Ysoft Safeq 6 Server
Published
2023-07-13
·
Updated
2024-08-02
·
CVE-2023-35833
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
YSoft SAFEQ 6 Server versions prior to 6.0.82
Description
An issue was discovered in YSoft SAFEQ 6 Server where modifying the URL of the LDAP server configuration from LDAPS to LDAP does not require the password to be reentered. This results in exposing cleartext credentials when connecting to a rogue LDAP server.
Recommendations
For versions prior to 6.0.82, update to version 6.0.82 or later to resolve the issue. As a temporary workaround, consider restricting access to the LDAP server configuration to minimize the risk of exploitation. Avoid using the LDAP configuration without proper authentication until the issue is resolved.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ysoft Safeq 6 Server