Password in Cleartext Found in Decrypted Configuration File
CVE-2024-36497

9.1CRITICAL

Key Information:

Vendor: Faronics
Status: Winselect (standard + Enterprise)
Vendor: CVE Published:; 24 June 2024

What is CVE-2024-36497?

A vulnerability in WINSelect by Faronics allows for the decrypted configuration file to expose the password in cleartext. This security flaw can lead to unauthorized access to system configurations, effectively disabling existing restrictions and compromising the security model of WINSelect. Organizations using vulnerable versions of WINSelect are advised to review their security measures and apply relevant patches to mitigate risks.

Affected Version(s)

WINSelect (Standard + Enterprise) 8.30.xx.903

References

https://r.sec-consult.com/winselect

third-party-advisory

https://www.faronics.com/en-uk/document-library/document/...

release-notes

http://seclists.org/fulldisclosure/2024/Jun/12

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2024
Vulnerability Reserved
May 29, 2024

Credit

Daniel Hirschberger | SEC Consult Vulnerability Lab