CVE-2024-36496

June 24, 2024, 12:57 p.m.

None
No Score

Description

The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters.

Product(s) Impacted

Product Versions
UNKNOWN
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

https://r.sec-consult.com/winselect
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes

Tags

CWE-798
551230f0-3615-47bd-b7cc-93e92e730bbf
2024-06-24
CVE-2024-36496

Timeline

Published: June 24, 2024, 9:15 a.m.
Last Modified: June 24, 2024, 12:57 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

551230f0-3615-47bd-b7cc-93e92e730bbf

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.