Submit #565307: Dígitro NGC Explorer 3.44.15 Plaintext Password in Configuration Fileinfo

TitleDígitro NGC Explorer 3.44.15 Plaintext Password in Configuration File
DescriptionTitle: NGC Explorer version 3.44.15 Client-side DOM manipulation allows password exposure Software affected: NGC Explorer version 3.44.15 Vendor: Dígitro Tecnologia - https://digitro.com/ Description: A configuration page contains an input field of type password, pre-filled with a sensitive SIP service credential. However, there is no defense against DOM manipulation. By changing the field type to text using browser DevTools, the stored password becomes visible in plaintext. Technical Details: An attacker with local access can open browser DevTools (F12), locate the password input field, and change the type="password" attribute to type="text", revealing the user’s password. Impact: Sensitive credentials can be exposed to unauthorized users, especially in shared or public environments. Evidences of exploitation will be send by e-mail.
User
 Anonymous User
Submission04/24/2025 23:21 (1 Year ago)
Moderation05/10/2025 07:30 (15 days later)
StatusAccepted
VulDB entry308271 [Dígitro NGC Explorer up to 3.44.15/3.48.21 Configuration Page missing password field masking]
Points17

Want to know what is going to be exploited?

We predict KEV entries!