CVE-2023-6329

Name of the Vulnerable Software and Affected Versions Control iD iDSecure versions 4.7.32.0 through 4.7.43.0

Description The issue is related to an authentication bypass vulnerability. It is caused by weaknesses in the authentication procedure when handling the passwordCustom parameter of the iDS-Core.dll library. This can allow a remote attacker to bypass authentication, gain unauthorized access to protected information, and elevate their privileges. The vulnerability enables an unauthenticated attacker to compute valid credentials, which can be used to act as an administrative user.

Recommendations For versions 4.7.32.0 through 4.7.43.0, consider disabling the passwordCustom option in the iDS-Core.dll library as a temporary workaround until a patch is available. Restrict access to the iDS-Core.dll library to minimize the risk of exploitation. Avoid using the passwordCustom parameter in the login routine until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.