CVE-2023-35833

MEDIUM

YSoft SAFEQ 6 Server < 6.0.82 - Cleartext Transmission of Sensitive Information via LDAP Configuration Downgrade

Title source: llm

Description

An issue was discovered in YSoft SAFEQ 6 Server before 6.0.82. When modifying the URL of the LDAP server configuration from LDAPS to LDAP, the system does not require the password to be (re)entered. This results in exposing cleartext credentials when connecting to a rogue LDAP server. NOTE: the vendor originally reported this as a security issue but then reconsidered because of the requirement for Admin access in order to change the configuration.

References (2)

Core 2

Core References

Vendor Advisory

https://www.ysoft.com/en/legal/ldaps-encryption-downgrade-attack-vulnerability

Product

https://ysoft.com

Scores

CVSS v3 6.5

EPSS 0.0028

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (1)

ysoft/safeq_server 6.0 - 6.0.82

Published Jul 13, 2023

Tracked Since Feb 18, 2026