CVE-2024-39341

Entrust Instant Financial Issuance (On Premise) Software (formerly known as Cardwizard) 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier leaves behind a configuration file (i.e. WebAPI.cfg.xml) after the installation process. This file can be accessed without authentication on HTTP port 80 by guessing the correct IIS webroot path. It includes system configuration parameter names and values with sensitive configuration values encrypted.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/VAMorales/21a8700a67d80c263b38e693fd528313
https://trustedcare.entrust.com/login
https://www.entrust.com/

Configurations

No configuration.

History

04 Nov 2024, 17:35

Type	Values Removed	Values Added
CWE		CWE-290
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9

26 Sep 2024, 13:32

Type	Values Removed	Values Added
Summary		(es) El software Entrust Instant Financial Issuance (On Premise) (antes conocido como Cardwizard) 6.10.0, 6.9.0, 6.9.1, 6.9.2, 6.8.x y versiones anteriores deja un archivo de configuración (es decir, WebAPI.cfg.xml) después del proceso de instalación. Se puede acceder a este archivo sin autenticación en el puerto HTTP 80 adivinando la ruta webroot de IIS correcta. Incluye los nombres y valores de los parámetros de configuración del sistema con valores de configuración confidenciales cifrados.

23 Sep 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-23 18:15

Updated : 2024-11-04 17:35

NVD link : CVE-2024-39341

Mitre link : CVE-2024-39341

CVE.ORG link : CVE-2024-39341

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

5.9 /10