usd-2022-0057 | Weak Password Reset Mechanism in CPTO 184.108.40.206
Advisory ID: usd-2022-0057
Product: Cash Point & Transport Optimizer CPTO
Affected Version: 220.127.116.11 (#718) 06.07.2021
Vulnerability Type: CWE 640 - Weak Password Recovery Mechanism for Forgotten Password
Security Risk: Low
Vendor URL: https://www.sesami.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-31300
CVE Link: Pending
The Reset Password feature sends new passwords unencrypted in clear text via email.
Users should update CPTO to its current version.
An email should be sent to the users authorized email id with a link which will take the user to a page for resetting the password. This link should be SSL-enabled and active for only a short time. This way the actual password is never seen. The security benefits of this method are: The password is not sent in the mail and since the link is active for a short time, there is no harm even if the mail remains in the mailbox for a long time.
- 2022-11-03: Vulnerabilities discovered by Marcus Nilsson.
- 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time.
- 2023-04-27: CVE IDs are requested and subsequently reserved.
- 2023-05-12: Trying to establish contact via phone and email has been unsucessful, usd AG's customer notifies the team that vulnerabilities should by fixed come autumn.
- 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December.
- 2022-12-21: Advisory published by usd AG.
This security vulnerability was found by Marcus Nilsson of usd AG.