CVE-2023-25263

Published: Mar 27, 2023Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

In Stimulsoft Designer (Desktop) 2023.1.5, and 2023.1.4, once an attacker decompiles the Stimulsoft.report.dll the attacker is able to decrypt any connectionstring stored in .mrt files since a static secret is used. The secret does not differ between the tested versions and different operating systems.

Affected (4)

Products: Stimulsoft: Designer

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Stimulsoft Designer	Version 2023.1.4
Stimulsoft Designer	Version 2023.1.4
Stimulsoft Designer	Version 2023.1.5
Stimulsoft Designer	Version 2023.1.5

Related CWEs

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (6)

http://stimulsoft.com

Source: cve@mitre.org

Product

https://cloud-trustit.spp.at/s/Db8ZfNq2WYiNCHa

Source: cve@mitre.org

Broken Link

https://cves.at/posts/cve-2023-25263/writeup/

Source: cve@mitre.org

ExploitThird Party Advisory

http://stimulsoft.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://cloud-trustit.spp.at/s/Db8ZfNq2WYiNCHa

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://cves.at/posts/cve-2023-25263/writeup/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.