A vulnerability, which was classified as problematic, has been found in PaperThin Commonspot Content Server up to 8.0.0. Affected by this issue is an unknown function of the component Default Configuration. The manipulation with an unknown input leads to a credentials management vulnerability. Using CWE to declare the problem leads to CWE-255. Impacted is confidentiality. CVE summarizes:

The default configuration of PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 uses cleartext for storage of credentials in a database, which makes it easier for context-dependent attackers to obtain sensitive information via unspecified vectors.

The weakness was released 04/15/2014 as confirmed advisory (CERT.org). The advisory is shared for download at kb.cert.org. This vulnerability is handled as CVE-2014-2870 since 04/15/2014. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1552.

The vulnerability scanner Nessus provides a plugin with the ID 73611 , which helps to determine the existence of the flaw in a target environment.

Upgrading to version 8.0.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (73611). Entries connected to this vulnerability are available at VDB-69360, VDB-69359, VDB-69358 and VDB-69357.

Productinfo

Vendor

• PaperThin

Name

• Commonspot Content Server

Version

• 8.0

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion