CVE-2024-45165

Published: Aug 22, 2024Modified: Sep 3, 2025

5.3

Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks.

Affected (1)

Products: Uci: Idol2

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Uci Idol2	Up to 2.12

Related CWEs

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (5)

http://download.uci.de/idol2/idol2Client_2_12.exe

Source: cve@mitre.org

Broken Link

https://uci.de/download/idol2-client.html

Source: cve@mitre.org

ProductRelease Notes

https://uci.de/products/index.html

Source: cve@mitre.org

Product

https://www.syss.de/en/responsible-disclosure-policy

Source: cve@mitre.org

Issue Tracking

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-048.txt

Source: cve@mitre.org

Third Party Advisory

Timeline

No history available yet.