An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A plaintext HTTP request can lead to a disclosure of login credentials. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
Bachmann Visutec GmbH Atvise 3.5.4
Bachmann Visutec GmbH Atvise 3.6
Bachmann Visutec GmbH Atvise 3.7
Atvise - http://www.atvise.com
5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-319 - Cleartext Transmission of Sensitive Information
The Atvise scada software package is a cross-platform solution for managing scada networks.
While registering the Atvise software, the user has to enter the login and password for the Atvise.com website account into the client application. These credentials are then sent via plaintext HTTP Post request to www.atvise.com. An attacker able to man-in-the-middle the connection could steal these credentials and use them to log into the Atvise website and download software and licenses. There is no impact to the machine running the client component.
The vendor has provided an updated version at the following URL: https://customer.atvise.com/de/component/phocadownload/category/116-atvise-3-7
2022-02-02 - Initial vendor contact
2022-02-16 - Vendor Disclosure
2022-06-15 - Public Release
2022-06-15 - Vendor Patch Release
Discovered by Martin Zeiser of Cisco Talos.