CVE-2024-7407 (GCVE-0-2024-7407)

Vulnerability from cvelistv5 – Published: 2025-03-28 12:54 – Updated: 2025-03-28 13:40
VLAI?
Title
Weak password encoding in Streamsoft Prestiż
Summary
Use of a custom password encoding algorithm in Streamsoft Prestiż software allows straightforward decoding of passwords using their encoded forms, which are stored in the application's database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.  This issue was fixed in 18.2.377 version of the software.
Severity ?
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-261 - Weak Encoding for Password
Assigner
References
Impacted products
Vendor Product Version
Streamsoft Streamsoft Prestiż Affected: 0 , < 18.2.377 (custom)
Create a notification for this product.
Date Public ?
2025-03-28 11:00
Credits
Kamil Dąbkowski
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7407",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T13:40:10.710868Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T13:40:49.121Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Streamsoft Presti\u017c",
          "vendor": "Streamsoft",
          "versions": [
            {
              "lessThan": "18.2.377",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kamil D\u0105bkowski"
        }
      ],
      "datePublic": "2025-03-28T11:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of a custom password encoding algorithm\u0026nbsp;in Streamsoft Presti\u017c software allows straightforward decoding of passwords using their encoded forms, which are stored in the application\u0027s database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.\u0026nbsp;\u003cbr\u003eThis issue was fixed in 18.2.377 version of the software."
            }
          ],
          "value": "Use of a custom password encoding algorithm\u00a0in Streamsoft Presti\u017c software allows straightforward decoding of passwords using their encoded forms, which are stored in the application\u0027s database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.\u00a0\nThis issue was fixed in 18.2.377 version of the software."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-261",
              "description": "CWE-261 Weak Encoding for Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-28T12:54:13.122Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2025/03/CVE-2024-7407/"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.streamsoft.pl/streamsoft-prestiz/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Weak password encoding in Streamsoft Presti\u017c",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2024-7407",
    "datePublished": "2025-03-28T12:54:13.122Z",
    "dateReserved": "2024-08-02T09:50:51.479Z",
    "dateUpdated": "2025-03-28T13:40:49.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-7407\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2025-03-28T13:15:40.760\",\"lastModified\":\"2025-03-28T18:11:40.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Use of a custom password encoding algorithm\u00a0in Streamsoft Presti\u017c software allows straightforward decoding of passwords using their encoded forms, which are stored in the application\u0027s database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.\u00a0\\nThis issue was fixed in 18.2.377 version of the software.\"},{\"lang\":\"es\",\"value\":\"El uso de un algoritmo de codificaci\u00f3n de contrase\u00f1as personalizado en el software Streamsoft Presti? permite decodificar f\u00e1cilmente las contrase\u00f1as mediante sus formas codificadas, almacenadas en la base de datos de la aplicaci\u00f3n. Es necesario conocer el algoritmo de codificaci\u00f3n, pero se puede deducir observando c\u00f3mo se transforman las contrase\u00f1as. Este problema se solucion\u00f3 en la versi\u00f3n 18.2.377 del software.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-261\"}]}],\"references\":[{\"url\":\"https://cert.pl/en/posts/2025/03/CVE-2024-7407/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://www.streamsoft.pl/streamsoft-prestiz/\",\"source\":\"cvd@cert.pl\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-7407\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-28T13:40:10.710868Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-28T13:40:45.983Z\"}}], \"cna\": {\"title\": \"Weak password encoding in Streamsoft Presti\\u017c\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Kamil D\\u0105bkowski\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Streamsoft\", \"product\": \"Streamsoft Presti\\u017c\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"18.2.377\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-03-28T11:00:00.000Z\", \"references\": [{\"url\": \"https://cert.pl/en/posts/2025/03/CVE-2024-7407/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.streamsoft.pl/streamsoft-prestiz/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Use of a custom password encoding algorithm\\u00a0in Streamsoft Presti\\u017c software allows straightforward decoding of passwords using their encoded forms, which are stored in the application\u0027s database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.\\u00a0\\nThis issue was fixed in 18.2.377 version of the software.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Use of a custom password encoding algorithm\u0026nbsp;in Streamsoft Presti\\u017c software allows straightforward decoding of passwords using their encoded forms, which are stored in the application\u0027s database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.\u0026nbsp;\u003cbr\u003eThis issue was fixed in 18.2.377 version of the software.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-261\", \"description\": \"CWE-261 Weak Encoding for Password\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2025-03-28T12:54:13.122Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-7407\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-28T13:40:49.121Z\", \"dateReserved\": \"2024-08-02T09:50:51.479Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2025-03-28T12:54:13.122Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.