La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2023-38328

CVE-2023-38328 – eGroupWare

Vulnerability Description: Plaintext Storage of a Password ('Improper Password Storage') – CWE-256

Software Version: 17.1.20190111

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-38328

CVSv34.9

Severity: Medium

Credits: Luca Di Giuseppe, Antonio Papa, Stefano Scipioni, Fabio Minarelli, Massimiliano Brolli

An issue was discovered in eGroupWare 17.1.20190111. An Improper Password Storage vulnerability affects the setup panel of under setup/manageheader.php, which allows authenticated remote attackers with administrator credentials to read a cleartext database password.

Step-by-step instructions and PoC

An authenticated admin user can read database credentials stored in cleartext in the eGroupWare setup panel.

Affected Endpoints

URL:
https://hostname/[REDACTED]/egroupware/setup/manageheader.php

https://hostname/[REDACTED]/egroupware/calendar/freebusy.php

Below are the evidences with the vulnerability details and the payload used.

Figure 7: Database credentials stored in cleartext in the eGroupWare setup panel

Figure 7: Database credentials stored in cleartext in the eGroupWare setup panel

Click to enlarge

 

Security Impact

By By exploiting this vulnerability, it is possible to access the web application’s data stored into the database.