CVE-2023-37468 MEDIUM

CVE-2023-37468: Storing unencrypted LDAP passwords in feedbacksystem

Vendor Thm-Mni-Ii
Product feedbacksystem
Weakness CWE-312 · Cleartext storage
Published July 13, 2023
Last update October 22, 2024

CVSS base score

6.0/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Feedbacksystem is a personalized feedback system for students using artificial intelligence. Passwords of users using LDAP login are stored in clear text in the database. The LDAP users password is passed unencrypted in the LoginController.scala and stored in the database when logging in for the first time. Users using only local login or the cas login are not affected. This issue has been patched in version 1.19.2.

Key dates

02Disclosure timeline

July 13, 2023 CVE published
October 22, 2024 Record updated