| Titolo | Topdata Top Data Inner Rep Plus Web Server v.2.01 Missing Password Field Masking |
|---|
| Descrizione | Title: Top Data Inner Rep Plus Missing Password Field Masking
An "Missing Password Field Masking" vulnerability has been identified in Top Data Inner Rep Plus - Web Server v.2.01. This vulnerability allows a user to see the operators password in plaintext.
TopData has a product called Top Data Inner Rep Plus, that is a Biometric Time clock. This product uses a web service that has a vulnerability in version Web Server v.2.01. Basically, when the user are logged as "admin", it is able to visualize the operators list. Checking this request using burp suite is possible to see that the application responds the request with an list of operators, with credentials encrypted. The vulnerability occurs when the admin user visualizes the operator(s) using the browser, because it is possible to see the password in plaintext, without field masking. Considering that the operator informations are transmitted encrypted, thare are no reason to the application show then in plaintext on browser.
Considering this situation, a malicious actor can use an operator user identity to execute arbitrary actions as if it were that user.
Link of the vendor and product site:
https://www.topdata.com.br/relogio-de-ponto-biometrico/ |
|---|
| Utente | Anonymous User |
|---|
| Sottomissione | 10/10/2024 01:16 (2 anni fa) |
|---|
| Moderazione | 18/10/2024 14:12 (9 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 280914 [Topdata Inner Rep Plus WebServer 2.01 Operator Details Form /InnerRepPlus.html rivelazione di informazioni] |
|---|
| Punti | 17 |
|---|