CVE-2024-36496

{"id": "CVE-2024-36496", "metrics": {}, "published": "2024-06-24T09:15:09.860", "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jun/12", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://r.sec-consult.com/winselect", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "The configuration file is encrypted with a static key derived from a \nstatic five-character password which allows an attacker to decrypt this \nfile.\u00a0The application hashes this five-character password with \nthe outdated and broken MD5 algorithm (no salt) and uses the first five \nbytes as the key for RC4. The configuration file is then encrypted with \nthese parameters."}], "lastModified": "2024-06-25T06:15:11.413", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf"}