CVE-2024-36496

The configuration file is encrypted with a static key derived from a 
static five-character password which allows an attacker to decrypt this 
file.The application hashes this five-character password with 
the outdated and broken MD5 algorithm (no salt) and uses the first five 
bytes as the key for RC4. The configuration file is then encrypted with 
these parameters.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SEC-VLabCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2024/Jun/12
https://r.sec-consult.com/winselect
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes
http://seclists.org/fulldisclosure/2024/Jun/12
https://r.sec-consult.com/winselect
https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes