| Titel | Dígitro NGC Explorer 3.44.15 Improper client-side encryption implementation |
|---|
| Beschreibung | Title: NGC Explorer version 3.44.15 Improper encryption implementation leading to plaintext password transmission
Software affected: NGC Explorer version 3.44.15
Vendor: Dígitro Tecnologia - https://digitro.com/
Description:
The application implements client-side encryption for passwords before sending them to the server. However, the backend also accepts the password in plaintext. This makes the encryption redundant and misleading, weakening the overall security posture.
Technical Details:
During login, the client encrypts the password and sends it to the server. However, intercepting and modifying the request (e.g., using Burp Suite or similar) to replace the encrypted password with the original plaintext version still results in successful authentication. This suggests that the backend does not enforce encrypted input.
Impact:
An attacker can bypass the client-side encryption mechanism entirely and authenticate with the application using plaintext credentials. This exposes users to credential interception attacks and undermines the integrity of the authentication process.
Evidences of exploitation will be send by e-mail. |
|---|
| Benutzer | Anonymous User |
|---|
| Einreichung | 24.04.2025 23:26 (vor 1 Jahr) |
|---|
| Moderieren | 10.05.2025 07:30 (15 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 308272 [Dígitro NGC Explorer bis 3.44.15/3.48.21 Password Transmission Information Disclosure] |
|---|
| Punkte | 17 |
|---|