CVE-2020-12712

HIGH

SOS JobScheduler <1.13 - Info Disclosure

Title source: llm

Description

A vulnerability based on insecure user/password encryption in the JOE (job editor) component of SOS JobScheduler 1.12 and 1.13 allows attackers to decrypt the user/password that is optionally stored with a user's profile.

Exploits (2)

exploitdb WORKING POC

by Sander Ubink · pythonremotemultiple

https://www.exploit-db.com/exploits/48587

View Code ZIP pw:eip

nomisec WORKING POC

by SanderUbink · poc

https://github.com/SanderUbink/CVE-2020-12712

View Code ZIP pw:eip

References (4)

[Vendor Advisory] https://www.sos-berlin.com/en/news

[Vendor Advisory] https://change.sos-berlin.com/browse/JOE-290

[Release Notes, Vendor Advisory] https://kb.sos-berlin.com/display/PKB/Vulnerability+Release+1.13.4

[Third Party Advisory] http://packetstormsecurity.com/files/158112/SOS-JobScheduler-1.13.3-Stored-Password-Decryption.html

Scores

CVSS v3 7.5

EPSS 0.0454

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-330

Status published

Products (1)

sos-berlin/jobscheduler 1.12.0 - 1.12.12

Published Jun 11, 2020

Tracked Since Feb 18, 2026