CVE-2025-13175 in SafeQ 6
Summary
by MITRE • 01/14/2026
Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2025-13175 resides within the Y Soft SafeQ 6 software platform, specifically impacting the Workflow Connector component that manages password-protected scan workflows. This issue represents a critical security flaw that undermines the confidentiality of sensitive authentication credentials. The vulnerability manifests when administrators with access to the user interface attempt to inspect the password field through browser developer tools, which exposes the plaintext password value. This weakness directly violates fundamental security principles and creates an unnecessary risk vector for organizations relying on the SafeQ platform for document management and workflow automation.
The technical implementation flaw stems from improper handling of sensitive data within the web-based user interface of the SafeQ 6 platform. When the Workflow Connector password field is rendered in the browser, the system fails to adequately obscure or encrypt the password value during display operations. This behavior allows attackers with legitimate administrative access to leverage browser inspection capabilities to extract the plaintext credentials. The vulnerability specifically affects versions prior to MU106, indicating that the issue was introduced in the software's development lifecycle and subsequently patched in the update. This flaw aligns with CWE-200, which addresses the improper exposure of sensitive information, and represents a clear violation of secure coding practices that should prevent sensitive data from being exposed through client-side interfaces.
The operational impact of this vulnerability extends beyond simple credential exposure, as it fundamentally compromises the security posture of organizations utilizing password-protected scan workflows. Administrators who possess UI access can trivially extract password values, potentially enabling unauthorized access to connected systems, network resources, or sensitive document repositories. This vulnerability creates an attack surface that adversaries can exploit to escalate privileges or gain access to additional systems within the organization's infrastructure. The implications are particularly severe for environments where scan workflows connect to critical business systems or require elevated privileges for operation. This weakness directly maps to ATT&CK technique T1552.001, which covers credentials from password storage components, and demonstrates how insecure data handling can provide attackers with direct access to authentication mechanisms.
Organizations affected by this vulnerability should immediately implement mitigation strategies to protect their systems from potential exploitation. The primary recommended action involves upgrading to Y Soft SafeQ 6 MU106 or later versions that contain the necessary patches to address the password field rendering issue. Additionally, administrators should review and restrict UI access permissions to only essential personnel who require such privileges for legitimate operational purposes. Network segmentation and access controls should be implemented to limit the potential impact of credential exposure. Security monitoring should be enhanced to detect unusual activities related to administrator access and browser inspection tools. Organizations should also conduct thorough audits of their scan workflow configurations to identify and remediate any instances where password-protected connectors are in use. The vulnerability highlights the importance of proper input sanitization and secure data handling practices, emphasizing that sensitive information should never be exposed through client-side interfaces without appropriate encryption or obfuscation measures.