CVE-2024-0912 HIGH

CVE-2024-0912: CCURE passwords exposed to administrators

Vendor Johnson Controls
Product Software House C•CURE 9000
Weakness CWE-532 · Sensitive info in logs
Published June 5, 2024
Last update August 1, 2024

CVSS base score

8.5/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

What the vulnerability does

01Description

Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior versions

Key dates

02Disclosure timeline

June 5, 2024 CVE published
August 1, 2024 Record updated