CVE-2024-39342

Name of the Vulnerable Software and Affected Versions Entrust Instant Financial Issuance (formerly known as Cardwizard) versions 6.8.x and earlier, 6.9.0, 6.9.1, 6.9.2, 6.10.0

Description The issue concerns the use of a DLL library with a custom AES encryption process that relies on static hard-coded key values, which are not uniquely generated per installation of the software. This, combined with an encrypted password obtainable from "WebAPI.cfg.xml", makes decryption trivial and can lead to privilege escalation on the Windows host.

Recommendations For versions 6.8.x and earlier, 6.9.0, 6.9.1, 6.9.2, 6.10.0, consider updating to a version that does not use static hard-coded key values for AES encryption, or temporarily restrict access to the DCG.Security.dll library until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.