| 제목 | Dígitro NGC Explorer 3.44.15 Improper client-side encryption implementation |
|---|
| 설명 | Title: NGC Explorer version 3.44.15 Improper encryption implementation leading to plaintext password transmission
Software affected: NGC Explorer version 3.44.15
Vendor: Dígitro Tecnologia - https://digitro.com/
Description:
The application implements client-side encryption for passwords before sending them to the server. However, the backend also accepts the password in plaintext. This makes the encryption redundant and misleading, weakening the overall security posture.
Technical Details:
During login, the client encrypts the password and sends it to the server. However, intercepting and modifying the request (e.g., using Burp Suite or similar) to replace the encrypted password with the original plaintext version still results in successful authentication. This suggests that the backend does not enforce encrypted input.
Impact:
An attacker can bypass the client-side encryption mechanism entirely and authenticate with the application using plaintext credentials. This exposes users to credential interception attacks and undermines the integrity of the authentication process.
Evidences of exploitation will be send by e-mail. |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2025. 04. 24. PM 11:26 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 05. 10. AM 07:30 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 308272 [Dígitro NGC Explorer 까지 3.44.15/3.48.21 Password Transmission 정보 공개] |
|---|
| 포인트들 | 17 |
|---|