Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for WINSelect (Standard + Enterprise) by Faronics

    CVE-2024-36497 (GCVE-0-2024-36497)

    Vulnerability from nvd – Published: 2024-06-24 09:06 – Updated: 2025-02-13 17:52
    VLAI
    Title
    Unhashed Storage of Password
    Summary
    The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect entirely.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Faronics WINSelect (Standard + Enterprise) Unaffected: 8.30.xx.903 (custom)
    Create a notification for this product.
    faronics winselect Affected: 0 , < 8.30.xx.903 (custom)
        cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Hirschberger | SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "winselect",
                "vendor": "faronics",
                "versions": [
                  {
                    "lessThan": "8.30.xx.903",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36497",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-24T14:29:57.397820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-24T14:30:01.406Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.236Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://r.sec-consult.com/winselect"
              },
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "WINSelect (Standard + Enterprise)",
              "vendor": "Faronics",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "8.30.xx.903",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Hirschberger | SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe decrypted configuration file contains the password in cleartext \nwhich is used to configure WINSelect. It can be used to remove the \nexisting restrictions and disable WINSelect entirely.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "The decrypted configuration file contains the password in cleartext \nwhich is used to configure WINSelect. It can be used to remove the \nexisting restrictions and disable WINSelect entirely."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-578",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-578 Disable Security Software"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T06:06:07.376Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://r.sec-consult.com/winselect"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            },
            {
              "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/document-library/document/download-winselect-standard\"\u003ehttps://www.faronics.com/document-library/document/download-winselect-standard\u003c/a\u003e\u003cbr\u003e \u0026nbsp;\u003c/p\u003e\u003cp\u003eThe vendor provided the following changelog:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\"\u003ehttps://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\n https://www.faronics.com/document-library/document/download-winselect-standard \n \u00a0\n\nThe vendor provided the following changelog:\n https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unhashed Storage of Password",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2024-36497",
        "datePublished": "2024-06-24T09:06:03.500Z",
        "dateReserved": "2024-05-29T06:48:49.689Z",
        "dateUpdated": "2025-02-13T17:52:56.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-36496 (GCVE-0-2024-36496)

    Vulnerability from nvd – Published: 2024-06-24 09:04 – Updated: 2025-02-13 17:52
    VLAI
    Title
    Hardcoded Credentials
    Summary
    The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Faronics WINSelect (Standard + Enterprise) Unaffected: 8.30.xx.903 (custom)
    Create a notification for this product.
    faronics winselect Unaffected: 8.30.xx.903
        cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Hirschberger | SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "winselect",
                "vendor": "faronics",
                "versions": [
                  {
                    "status": "unaffected",
                    "version": "8.30.xx.903"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36496",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-26T18:36:38.197133Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-26T18:46:33.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.067Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://r.sec-consult.com/winselect"
              },
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "WINSelect (Standard + Enterprise)",
              "vendor": "Faronics",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "8.30.xx.903",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Hirschberger | SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe configuration file is encrypted with a static key derived from a \nstatic five-character password which allows an attacker to decrypt this \nfile.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eThe application hashes this five-character password with \nthe outdated and broken MD5 algorithm (no salt) and uses the first five \nbytes as the key for RC4. The configuration file is then encrypted with \nthese parameters.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "The configuration file is encrypted with a static key derived from a \nstatic five-character password which allows an attacker to decrypt this \nfile.\u00a0The application hashes this five-character password with \nthe outdated and broken MD5 algorithm (no salt) and uses the first five \nbytes as the key for RC4. The configuration file is then encrypted with \nthese parameters."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T06:06:09.032Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory",
                "exploit"
              ],
              "url": "https://r.sec-consult.com/winselect"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            },
            {
              "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/document-library/document/download-winselect-standard\"\u003ehttps://www.faronics.com/document-library/document/download-winselect-standard\u003c/a\u003e\u003cbr\u003e \u0026nbsp;\u003c/p\u003e\u003cp\u003eThe vendor provided the following changelog:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\"\u003ehttps://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\n https://www.faronics.com/document-library/document/download-winselect-standard \n \u00a0\n\nThe vendor provided the following changelog:\n https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hardcoded Credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2024-36496",
        "datePublished": "2024-06-24T09:04:18.257Z",
        "dateReserved": "2024-05-29T06:48:49.689Z",
        "dateUpdated": "2025-02-13T17:52:55.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-36495 (GCVE-0-2024-36495)

    Vulnerability from nvd – Published: 2024-06-24 08:50 – Updated: 2025-02-13 17:52
    VLAI
    Title
    Read/Write Permissions for Everyone on Configuration File
    Summary
    The application Faronics WINSelect (Standard + Enterprise) saves its configuration in an encrypted file on the file system which "Everyone" has read and write access to, path to file: C:\ProgramData\WINSelect\WINSelect.wsd The path for the affected WINSelect Enterprise configuration file is: C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Faronics WINSelect (Standard + Enterprise) Unaffected: 8.30.xx.903 (custom)
    Create a notification for this product.
    faronics winselect Unaffected: 0 , < 8.30.xx.903 (custom)
        cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Hirschberger | SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "winselect",
                "vendor": "faronics",
                "versions": [
                  {
                    "lessThan": "8.30.xx.903",
                    "status": "unaffected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36495",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T14:37:51.549136Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T20:25:37.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.306Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://r.sec-consult.com/winselect"
              },
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "WINSelect (Standard + Enterprise)",
              "vendor": "Faronics",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "8.30.xx.903",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Hirschberger | SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe application \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFaronics WINSelect (Standard + Enterprise)\u0026nbsp;\u003c/span\u003esaves its configuration in an encrypted file on the file system\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhich \"Everyone\" has read and write access to, path to file:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cpre\u003e\u003ccode\u003eC:\\ProgramData\\WINSelect\\WINSelect.wsd\u003c/code\u003e\u003c/pre\u003e\u003cp\u003eThe path for\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe affected WINSelect Enterprise\u003c/span\u003e\u0026nbsp;configuration file is:\u003c/p\u003e\u003cpre\u003e\u003ccode\u003eC:\\ProgramData\\Faronics\\StorageSpace\\WS\\WINSelect.wsd\u003c/code\u003e\u003c/pre\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The application Faronics WINSelect (Standard + Enterprise)\u00a0saves its configuration in an encrypted file on the file system\u00a0which \"Everyone\" has read and write access to, path to file:\n\n\n\nC:\\ProgramData\\WINSelect\\WINSelect.wsd\n\nThe path for\u00a0the affected WINSelect Enterprise\u00a0configuration file is:\n\nC:\\ProgramData\\Faronics\\StorageSpace\\WS\\WINSelect.wsd"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-75",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-75 Manipulating Writeable Configuration Files"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276 Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T06:06:05.681Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://r.sec-consult.com/winselect"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            },
            {
              "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/document-library/document/download-winselect-standard\"\u003ehttps://www.faronics.com/document-library/document/download-winselect-standard\u003c/a\u003e\u003cbr\u003e \u0026nbsp;\u003c/p\u003e\u003cp\u003eThe vendor provided the following changelog:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\"\u003ehttps://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\n https://www.faronics.com/document-library/document/download-winselect-standard \n \u00a0\n\nThe vendor provided the following changelog:\n https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Read/Write Permissions for Everyone on Configuration File",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2024-36495",
        "datePublished": "2024-06-24T08:50:07.161Z",
        "dateReserved": "2024-05-29T06:48:49.689Z",
        "dateUpdated": "2025-02-13T17:52:54.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-36497 (GCVE-0-2024-36497)

    Vulnerability from cvelistv5 – Published: 2024-06-24 09:06 – Updated: 2025-02-13 17:52
    VLAI
    Title
    Unhashed Storage of Password
    Summary
    The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect entirely.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Faronics WINSelect (Standard + Enterprise) Unaffected: 8.30.xx.903 (custom)
    Create a notification for this product.
    faronics winselect Affected: 0 , < 8.30.xx.903 (custom)
        cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Hirschberger | SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "winselect",
                "vendor": "faronics",
                "versions": [
                  {
                    "lessThan": "8.30.xx.903",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36497",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-24T14:29:57.397820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-24T14:30:01.406Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.236Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://r.sec-consult.com/winselect"
              },
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "WINSelect (Standard + Enterprise)",
              "vendor": "Faronics",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "8.30.xx.903",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Hirschberger | SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe decrypted configuration file contains the password in cleartext \nwhich is used to configure WINSelect. It can be used to remove the \nexisting restrictions and disable WINSelect entirely.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "The decrypted configuration file contains the password in cleartext \nwhich is used to configure WINSelect. It can be used to remove the \nexisting restrictions and disable WINSelect entirely."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-578",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-578 Disable Security Software"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T06:06:07.376Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://r.sec-consult.com/winselect"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            },
            {
              "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/document-library/document/download-winselect-standard\"\u003ehttps://www.faronics.com/document-library/document/download-winselect-standard\u003c/a\u003e\u003cbr\u003e \u0026nbsp;\u003c/p\u003e\u003cp\u003eThe vendor provided the following changelog:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\"\u003ehttps://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\n https://www.faronics.com/document-library/document/download-winselect-standard \n \u00a0\n\nThe vendor provided the following changelog:\n https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unhashed Storage of Password",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2024-36497",
        "datePublished": "2024-06-24T09:06:03.500Z",
        "dateReserved": "2024-05-29T06:48:49.689Z",
        "dateUpdated": "2025-02-13T17:52:56.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-36496 (GCVE-0-2024-36496)

    Vulnerability from cvelistv5 – Published: 2024-06-24 09:04 – Updated: 2025-02-13 17:52
    VLAI
    Title
    Hardcoded Credentials
    Summary
    The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Faronics WINSelect (Standard + Enterprise) Unaffected: 8.30.xx.903 (custom)
    Create a notification for this product.
    faronics winselect Unaffected: 8.30.xx.903
        cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Hirschberger | SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "winselect",
                "vendor": "faronics",
                "versions": [
                  {
                    "status": "unaffected",
                    "version": "8.30.xx.903"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36496",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-26T18:36:38.197133Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-26T18:46:33.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.067Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://r.sec-consult.com/winselect"
              },
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "WINSelect (Standard + Enterprise)",
              "vendor": "Faronics",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "8.30.xx.903",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Hirschberger | SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe configuration file is encrypted with a static key derived from a \nstatic five-character password which allows an attacker to decrypt this \nfile.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eThe application hashes this five-character password with \nthe outdated and broken MD5 algorithm (no salt) and uses the first five \nbytes as the key for RC4. The configuration file is then encrypted with \nthese parameters.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "The configuration file is encrypted with a static key derived from a \nstatic five-character password which allows an attacker to decrypt this \nfile.\u00a0The application hashes this five-character password with \nthe outdated and broken MD5 algorithm (no salt) and uses the first five \nbytes as the key for RC4. The configuration file is then encrypted with \nthese parameters."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T06:06:09.032Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory",
                "exploit"
              ],
              "url": "https://r.sec-consult.com/winselect"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            },
            {
              "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/document-library/document/download-winselect-standard\"\u003ehttps://www.faronics.com/document-library/document/download-winselect-standard\u003c/a\u003e\u003cbr\u003e \u0026nbsp;\u003c/p\u003e\u003cp\u003eThe vendor provided the following changelog:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\"\u003ehttps://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\n https://www.faronics.com/document-library/document/download-winselect-standard \n \u00a0\n\nThe vendor provided the following changelog:\n https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hardcoded Credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2024-36496",
        "datePublished": "2024-06-24T09:04:18.257Z",
        "dateReserved": "2024-05-29T06:48:49.689Z",
        "dateUpdated": "2025-02-13T17:52:55.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-36495 (GCVE-0-2024-36495)

    Vulnerability from cvelistv5 – Published: 2024-06-24 08:50 – Updated: 2025-02-13 17:52
    VLAI
    Title
    Read/Write Permissions for Everyone on Configuration File
    Summary
    The application Faronics WINSelect (Standard + Enterprise) saves its configuration in an encrypted file on the file system which "Everyone" has read and write access to, path to file: C:\ProgramData\WINSelect\WINSelect.wsd The path for the affected WINSelect Enterprise configuration file is: C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Faronics WINSelect (Standard + Enterprise) Unaffected: 8.30.xx.903 (custom)
    Create a notification for this product.
    faronics winselect Unaffected: 0 , < 8.30.xx.903 (custom)
        cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Daniel Hirschberger | SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:faronics:winselect:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "winselect",
                "vendor": "faronics",
                "versions": [
                  {
                    "lessThan": "8.30.xx.903",
                    "status": "unaffected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36495",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T14:37:51.549136Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T20:25:37.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.306Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://r.sec-consult.com/winselect"
              },
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "WINSelect (Standard + Enterprise)",
              "vendor": "Faronics",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "8.30.xx.903",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Hirschberger | SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe application \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFaronics WINSelect (Standard + Enterprise)\u0026nbsp;\u003c/span\u003esaves its configuration in an encrypted file on the file system\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhich \"Everyone\" has read and write access to, path to file:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cpre\u003e\u003ccode\u003eC:\\ProgramData\\WINSelect\\WINSelect.wsd\u003c/code\u003e\u003c/pre\u003e\u003cp\u003eThe path for\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe affected WINSelect Enterprise\u003c/span\u003e\u0026nbsp;configuration file is:\u003c/p\u003e\u003cpre\u003e\u003ccode\u003eC:\\ProgramData\\Faronics\\StorageSpace\\WS\\WINSelect.wsd\u003c/code\u003e\u003c/pre\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The application Faronics WINSelect (Standard + Enterprise)\u00a0saves its configuration in an encrypted file on the file system\u00a0which \"Everyone\" has read and write access to, path to file:\n\n\n\nC:\\ProgramData\\WINSelect\\WINSelect.wsd\n\nThe path for\u00a0the affected WINSelect Enterprise\u00a0configuration file is:\n\nC:\\ProgramData\\Faronics\\StorageSpace\\WS\\WINSelect.wsd"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-75",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-75 Manipulating Writeable Configuration Files"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276 Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T06:06:05.681Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://r.sec-consult.com/winselect"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            },
            {
              "url": "http://seclists.org/fulldisclosure/2024/Jun/12"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/document-library/document/download-winselect-standard\"\u003ehttps://www.faronics.com/document-library/document/download-winselect-standard\u003c/a\u003e\u003cbr\u003e \u0026nbsp;\u003c/p\u003e\u003cp\u003eThe vendor provided the following changelog:\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\"\u003ehttps://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL:\n https://www.faronics.com/document-library/document/download-winselect-standard \n \u00a0\n\nThe vendor provided the following changelog:\n https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Read/Write Permissions for Everyone on Configuration File",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2024-36495",
        "datePublished": "2024-06-24T08:50:07.161Z",
        "dateReserved": "2024-05-29T06:48:49.689Z",
        "dateUpdated": "2025-02-13T17:52:54.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }