CVE-2024-36049

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-36049
Aptos Wisal payroll accounting before 7.1.6 uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. This allows attackers in a machine-in-the-middle position read and write access to personally identifiable information (PII) and especially payroll data and the ability to impersonate legitimate users with respect to the audit log.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/
https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/
Configurations

No configuration.

History

21 Nov 2024, 09:21

Type Values Removed Values Added
References () https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/ - () https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/ -

26 Aug 2024, 16:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
CWE CWE-798
Summary
  • (es) La contabilidad de nómina de Aptos Wisal anterior a 7.1.6 utiliza credenciales codificadas en el cliente de Windows para obtener la lista completa de nombres de usuarios y contraseñas del servidor de la base de datos, utilizando una conexión no cifrada. Esto permite a los atacantes en una posición de máquina en el medio acceso de lectura y escritura a información de identificación personal (PII) y especialmente a datos de nómina y la capacidad de hacerse pasar por usuarios legítimos con respecto al registro de auditoría.

24 May 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-24 17:15

Updated : 2024-11-21 09:21

NVD link : CVE-2024-36049

Mitre link : CVE-2024-36049

CVE.ORG link : CVE-2024-36049

JSON object : View

Products Affected

No product.

CWE
CWE-798

Use of Hard-coded Credentials


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024