Vulnerability Details CVE-2019-17393
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and password.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.3%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/154873/Tomedo-Server-1.7.3-Information-Disclosure-Weak-Cryptography.html
- http://seclists.org/fulldisclosure/2019/Oct/33
- http://packetstormsecurity.com/files/154873/Tomedo-Server-1.7.3-Information-Disclosure-Weak-Cryptography.html
- http://seclists.org/fulldisclosure/2019/Oct/33