CVE-2019-17393
CRITICALTomedo Server 1.7.3 - Cleartext Transmission of Sensitive Information via HTTP
Title source: llmDescription
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and password.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Oct/33
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/154873/Tomedo-Server-1.7.3-Information-Disclosure-Weak-Cryptography.html
Scores
CVSS v3
9.8
EPSS
0.0184
EPSS Percentile
76.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-319
CWE-522
Status
published
Products (1)
tomedo/server
1.7.3
Published
Oct 18, 2019
Tracked Since
Feb 18, 2026