ISL Light Desktop 3.5.4 Information Disclosure

2013.12.04
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-200


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

CVE-2013-6237:ISL Light - Desktop 3.5.4, Clipboard security issue In cases where a person is hosting a sharing session and allows a remote user to see what is happening on the local PC, its been discovered that if you locally copy something like a hidden password to the local clipboard, then the remote user will be able to directly paste it in clear text into a notepad or other form of document, effectively gaining access to the password. Not possible to lock this functionality. Example, 1. You start ISLonline Console session 2. External consultant joins session using ISLonline Support 3. You copy a password into your computers copy buffer a. E.g. from KeePass Password Manager 4. Security issue: External consultants can now paste your password into e.g. his own Notepad as see it in clear text a. Password is revealed b. The other problem is that password remain in his copy buffer after session ends c. E.g. KeePasss auto clean copy buffer feature does not prevent problem Vendor: http://www.islonline.com/ Vendor issue code: ISLLIGHT-557, http://www.islonline.com/help/isl-releases-info/any/manual/?2013-11-29-rel-info-isl-light-desktop-plugin-1-4-7-win.htm Affected product: ISL light 3.5.4 compiled on Sep 26 2013 revision 30035 Solved: ISL Light Desktop plugin for Windows 1.4.7 (2013-11-29) Credit: This issue was reported by Juan Francisco Bolivar es.linkedin.com/in/jfbolivar/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6237 J. Francisco Bolivar


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top