| tiêu đề | Dígitro NGC Explorer 3.44.15 Improper client-side encryption implementation |
|---|
| Mô tả | Title: NGC Explorer version 3.44.15 Improper encryption implementation leading to plaintext password transmission
Software affected: NGC Explorer version 3.44.15
Vendor: Dígitro Tecnologia - https://digitro.com/
Description:
The application implements client-side encryption for passwords before sending them to the server. However, the backend also accepts the password in plaintext. This makes the encryption redundant and misleading, weakening the overall security posture.
Technical Details:
During login, the client encrypts the password and sends it to the server. However, intercepting and modifying the request (e.g., using Burp Suite or similar) to replace the encrypted password with the original plaintext version still results in successful authentication. This suggests that the backend does not enforce encrypted input.
Impact:
An attacker can bypass the client-side encryption mechanism entirely and authenticate with the application using plaintext credentials. This exposes users to credential interception attacks and undermines the integrity of the authentication process.
Evidences of exploitation will be send by e-mail. |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 24/04/2025 23:26 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 10/05/2025 07:30 (15 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 308272 [Dígitro NGC Explorer đến 3.44.15/3.48.21 Password Transmission tiết lộ thông tin] |
|---|
| điểm | 17 |
|---|