OpenSlides 4.0.15 hashes passwords by applying a single round of SHA-512 to the cleartext password and the salt. Attackers who have obtained the hashed passwords can therefore calculate the cleartext passwords within a very short amount of time, using massively-parallel computing (such as cloud computing) and GPU, ASIC, or FPGA hardware.
This vulnerability has been fixed in OpenSlides 4.0.16.
- 2023-Nov-19: Reported to vendor
- 2023-Nov-20: Vendor confirmation
- 2023-Nov-23: Vendor fix available
- 2024-Sep-25: Public disclosure