usd-2022-0057 | Weak Password Reset Mechanism in CPTO 6.3.8.6

Advisory ID: usd-2022-0057
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 6.3.8.6 (#718) 06.07.2021
Vulnerability Type: CWE 640 - Weak Password Recovery Mechanism for Forgotten Password
Security Risk: Low
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31300
CVE Link: Pending

Description

The Reset Password feature sends new passwords unencrypted in clear text via email.

Fix

Users should update CPTO to its current version.

An email should be sent to the users authorized email id with a link which will take the user to a page for resetting the password. This link should be SSL-enabled and active for only a short time. This way the actual password is never seen. The security benefits of this method are: The password is not sent in the mail and since the link is active for a short time, there is no harm even if the mail remains in the mailbox for a long time.

References

https://owasp.org/www-community/OWASP_Application_Security_FAQ

Timeline

• 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
• 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
• 2023-04-27: CVE IDs are requested and subsequently reserved.
• 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
• 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
• 2022-12-21: Advisory published by usd AG.

Credits

This security vulnerability was found by Marcus Nilsson of usd AG.