Advisory ID: usd-2022-0057 Product: Cash Point & Transport Optimizer CPTO Affected Version: 6.3.8.6 (#718) 06.07.2021 Vulnerability Type: CWE 640 - Weak Password Recovery Mechanism for Forgotten Password Security Risk: Low Vendor URL: https://www.sesami.io/ Vendor Acknowledged Vulnerability: Yes Vendor Status: Fixed CVE number: CVE-2023-31300 CVE Link: Pending Description The Reset Password feature sends new passwords unencrypted in clear text via email. Fix Users should update CPTO to its current version. An email should be sent to the user’s authorized email ID with a link which will take the user to a page for resetting the password. This link should be SSL-enabled and active for only a short time. This way the actual password is never seen. The security benefits of this method are: The password is not sent in the mail and since the link is active for a short time, there is no harm even if the mail remains in the mailbox for a long time. References https://owasp.org/www-community/OWASP_Application_Security_FAQ Timeline 2022-11-03: Vulnerabilities discovered by Marcus Nilsson. 2022-11-28: The Responsible Disclosure tries to establish contact with vendor for the first time. 2023-04-27: CVE IDs are requested and subsequently reserved. 2023-05-12: Trying to establish contact via phone and email has been unsuccessful, usd AG’s customer notifies the team that vulnerabilities should be fixed come autumn. 2023-11-23: Marcus Nilsson got in touch with vendor, the advisories shall be published without a Proof-Of-Concept of the exploits in December. 2022-12-21: Advisory published by usd AG. Credits This security vulnerability was found by Marcus Nilsson of usd AG.