Credential Disclosure in Microsoft Project Server 2003
CVE-2006-6617

Currently unrated

Key Information:

Vendor: Microsoft
Status: Project Server
Vendor: CVE Published:; 18 December 2006

Summary

The Project Server component in Microsoft Project Server 2003 is susceptible to a vulnerability that allows remote authenticated users to extract sensitive credentials, specifically the MSProjectUser password for a SQL database. This occurs through a GetInitializationData request, which inadvertently exposes password information contained in the UserName and Password tags within the response. Mitigating this vulnerability is crucial to prevent unauthorized access and potential data breaches.

References

http://securityreason.com/securityalert/2047

third-party-advisoryx_refsource_SREASON

http://lists.grok.org.uk/pipermail/full-disclosure/2006-D...

mailing-listx_refsource_FULLDISC

http://securitytracker.com/id?1017388

vdb-entryx_refsource_SECTRACK

EPSS Score

31% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Dec 18, 2006
Vulnerability Reserved
Dec 17, 2006