CVE-2023-35833

Published: Jul 13, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in YSoft SAFEQ 6 Server before 6.0.82. When modifying the URL of the LDAP server configuration from LDAPS to LDAP, the system does not require the password to be (re)entered. This results in exposing cleartext credentials when connecting to a rogue LDAP server. NOTE: the vendor originally reported this as a security issue but then reconsidered because of the requirement for Admin access in order to change the configuration.

Affected (1)

Products: Ysoft: Safeq Server

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ysoft Safeq Server	From 6.0 to 6.0.82

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (4)

https://www.ysoft.com/en/legal/ldaps-encryption-downgrade-attack-vulnerability

Source: cve@mitre.org

Vendor Advisory

https://ysoft.com

Source: cve@mitre.org

Product

https://www.ysoft.com/en/legal/ldaps-encryption-downgrade-attack-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://ysoft.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.