emptythevoid/gist:84248daccce8737f1cdd5b395cf6f32c

## gistfile1.txt
[Description]
Before Thornberry Ndoc version 8.0, laptop clients and the server have default
database (Cache) users set up with a single password. This password is
left behind in a cleartext log file during client installation on
laptops. This password can be used to gain full admin/system access to
client devices (if no firewall is present) or the Ndoc server itself.
Once the password is known to an attacker, local access is not
required.

------------------------------------------

[Additional Information]
Version 8.0 of Ndoc has been released to correct this vulnerability.

------------------------------------------

 [Vulnerability Type]
 Insecure Permissions

------------------------------------------

[Vendor of Product]
Thornberry

------------------------------------------

[Affected Product Code Base]
Ndoc - 7.4

------------------------------------------

[Affected Component]
Ndoc laptop client, Ndoc Server of at least 7.4.  Assume earlier versions are affected

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
A local password stored in plaintext can be used to remotely attack
other devices or the Ndoc server. Once the password is known to an
attacker, local access is not required.

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Greg Ramey, I.S. Manager, Three Rivers District Health Department

------------------------------------------

[Reference]
https://ndocsoftware.com/resources/

Use CVE-2017-15366
	[Description]
	Before Thornberry Ndoc version 8.0, laptop clients and the server have default
	database (Cache) users set up with a single password. This password is
	left behind in a cleartext log file during client installation on
	laptops. This password can be used to gain full admin/system access to
	client devices (if no firewall is present) or the Ndoc server itself.
	Once the password is known to an attacker, local access is not
	required.

	------------------------------------------

	[Additional Information]
	Version 8.0 of Ndoc has been released to correct this vulnerability.

	------------------------------------------

	[Vulnerability Type]
	Insecure Permissions

	------------------------------------------

	[Vendor of Product]
	Thornberry

	------------------------------------------

	[Affected Product Code Base]
	Ndoc - 7.4

	------------------------------------------

	[Affected Component]
	Ndoc laptop client, Ndoc Server of at least 7.4. Assume earlier versions are affected

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Escalation of Privileges]
	true

	------------------------------------------

	[Impact Information Disclosure]
	true

	------------------------------------------

	[Attack Vectors]
	A local password stored in plaintext can be used to remotely attack
	other devices or the Ndoc server. Once the password is known to an
	attacker, local access is not required.

	------------------------------------------

	[Has vendor confirmed or acknowledged the vulnerability?]
	true

	------------------------------------------

	[Discoverer]
	Greg Ramey, I.S. Manager, Three Rivers District Health Department

	------------------------------------------

	[Reference]
	https://ndocsoftware.com/resources/

	Use CVE-2017-15366