Skip to content

Instantly share code, notes, and snippets.

@boatpavaris
Last active Sep 20, 2022
Embed
What would you like to do?
[Description]
Kentico is the only fully integrated ASP.NET CMS, E-commerce, and Online Marketing platform that allows you to create cutting-edge websites and optimize your digital customers? experiences fully across multiple channels. Kentico saves you time and resources so you can accomplish more. (Copy from Kentico homepage.)
[Suggested description]
** DISPUTED ** Kentico v10.0.42 allows Global Administrators to read
the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but
not a vulnerability. The vendor plans to fix it at a future time.
------------------------------------------
[Additional Information]
The application should not respond clear-text credential back to
browser. There is another workaround which is limiting number of
authorized people to access the application using high privilege
account
Discovery and report - 28 Dec 2018.
Vendor response - 3 Jan 2019.
CVE ID was assigned - 12 Jan 2019.
Public - 15 Jan 2019.
------------------------------------------
[VulnerabilityType Other]
Credential disclosure
------------------------------------------
[Vendor of Product]
Kentico
------------------------------------------
[Affected Product Code Base]
Kentico - v10.0.42
------------------------------------------
[Affected Component]
SMTP configuration page
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Attack Type Other]
An attacker who is able to access on global administrator privileges. A attacker can view SMTP plaintext password and send phishing email to victim.
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
We found that an attacker who is able to access on global
administrator privileges. He has authorize to modify SMTP properties
and the server responds SMTP current credential to store in HTML DOM.
This could allow a malicious administrator (probably compromised
account) to view current SMTP credential and use it to relay an Email
with specific SMTP server.
1 Log in as administrator.
2 Go to SMTP configuration page
3 Click "Email"
4 View source "SMTP Password"
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Pavaris Jintanapramoth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment