CVE-2024-39341

Name of the Vulnerable Software and Affected Versions Entrust Instant Financial Issuance (On Premise) Software versions 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier

Description The issue concerns a configuration file, specifically WebAPI.cfg.xml, which is left behind after the installation process. This file can be accessed without authentication on HTTP port 80 by guessing the correct IIS webroot path. It contains system configuration parameter names and values, including sensitive configuration values that are encrypted.

Recommendations For versions 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier, consider restricting access to the WebAPI.cfg.xml file to prevent unauthorized access until a patch is available. As a temporary workaround, restrict access to the HTTP port 80 to minimize the risk of exploitation. Avoid using guessable IIS webroot paths for sensitive configuration files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.