CVE-2024-39341

MEDIUM

Entrust Instant Financial Issuance (On Premise) Software - Info Dis...

Title source: llm

Description

Entrust Instant Financial Issuance (On Premise) Software (formerly known as Cardwizard) 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier leaves behind a configuration file (i.e. WebAPI.cfg.xml) after the installation process. This file can be accessed without authentication on HTTP port 80 by guessing the correct IIS webroot path. It includes system configuration parameter names and values with sensitive configuration values encrypted.

References (3)

[Various Sources] https://trustedcare.entrust.com/login

[Various Sources] https://gist.github.com/VAMorales/21a8700a67d80c263b38e693fd528313

[Various Sources] https://www.entrust.com/

Scores

CVSS v3 5.9

EPSS 0.0013

EPSS Percentile 31.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Published Sep 23, 2024

Tracked Since Feb 18, 2026