| Title | MaximaTech Portal Executivo - Password stored in Cookies |
|---|
| Description | The application MaximaTech Portal Executivo x.x.x.x stores user and password in clear text in cookies that allows attackers to disclosure credentials, we detected this vulnerability by capturing network traffic, in this occasion the application was not using HTTPS, so it was possible to collect credentials in cookies of the request.
Attack vetor:
Any cookie-stealing vulnerabilities within the application or browser would enable an attacker to steal the user's credentials to the application.
Credits:
Luigi Polidório¸ Robson Rodrigues, Red Team Softwall |
|---|
| Source | ⚠️ https://l6x.notion.site/PoC-7041cf9625554273b17148de85705d06?pvs=4 |
|---|
| User | LuigiSoftwall (UID 51872) |
|---|
| Submission | 07/31/2023 18:05 (3 years ago) |
|---|
| Moderation | 08/16/2023 15:12 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 237316 [MaximaTech Portal Executivo 21.9.1.140 Cookie missing encryption] |
|---|
| Points | 17 |
|---|