{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12057", "assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "state": "PUBLISHED", "assignerShortName": "arcinfo", "dateReserved": "2024-12-02T19:57:23.640Z", "datePublished": "2024-12-09T19:08:15.527Z", "dateUpdated": "2024-12-10T21:22:49.837Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Web Server Extensions"], "product": "PcVue", "vendor": "arcinfo", "versions": [{"lessThan": "16.2.4", "status": "affected", "version": "15.0", "versionType": "cpe"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Only servers where the Web &amp; Mobile features are deployed are affected.<br>The PcVue Web back end and the Web Server must run different versions."}], "value": "Only servers where the Web & Mobile features are deployed are affected.\nThe PcVue Web back end and the Web Server must run different versions."}], "datePublic": "2024-12-02T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "User credentials (login &amp; password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.<br>By exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application."}], "value": "User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\nBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "No POC available."}], "value": "No POC available."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Not known to be exploited"}], "value": "Not known to be exploited"}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 1.8, "baseSeverity": "LOW", "privilegesRequired": "HIGH", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:C/RE:M/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "shortName": "arcinfo", "dateUpdated": "2024-12-09T19:08:15.527Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.pcvue.com/security/#SB2024-6"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<b><u>Uninstall the Web Server<br></u></b>If your system does not require the use of the Web &amp; Mobile features, you should make sure not to install them. <br><b><u><br>Re-deploy the Web Server:</u></b><br>Re-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.<br><br>\n\n<b><u>Update the PcVue Web back end</u></b><br>Install a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.<br><br><b><u>Available patches:</u></b><br>Fixed in:<br><ul><li>16.2.4</li></ul>Planned in:<br><ul><li>15.2.11</li></ul>"}], "value": "Uninstall the Web Server\nIf your system does not require the use of the Web & Mobile features, you should make sure not to install them. \n\nRe-deploy the Web Server:\nRe-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.\n\n\n\nUpdate the PcVue Web back end\nInstall a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.\n\nAvailable patches:\nFixed in:\n * 16.2.4\n\n\nPlanned in:\n * 15.2.11"}], "source": {"advisory": "SB2024-6", "discovery": "EXTERNAL"}, "title": "User credentials recorded in log files", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-10T21:22:40.386531Z", "id": "CVE-2024-12057", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-10T21:22:49.837Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-10T21:22:40.386531Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-10T21:22:46.259Z"}}], "cna": {"title": "User credentials recorded in log files", "source": {"advisory": "SB2024-6", "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 1.8, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:C/RE:M/U:Clear", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "arcinfo", "modules": ["Web Server Extensions"], "product": "PcVue", "versions": [{"status": "affected", "version": "15.0", "lessThan": "16.2.4", "versionType": "cpe"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "No POC available.", "supportingMedia": [{"type": "text/html", "value": "No POC available.", "base64": false}]}, {"lang": "en", "value": "Not known to be exploited", "supportingMedia": [{"type": "text/html", "value": "Not known to be exploited", "base64": false}]}], "solutions": [{"lang": "en", "value": "Uninstall the Web Server\nIf your system does not require the use of the Web & Mobile features, you should make sure not to install them. \n\nRe-deploy the Web Server:\nRe-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.\n\n\n\nUpdate the PcVue Web back end\nInstall a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.\n\nAvailable patches:\nFixed in:\n * 16.2.4\n\n\nPlanned in:\n * 15.2.11", "supportingMedia": [{"type": "text/html", "value": "<b><u>Uninstall the Web Server<br></u></b>If your system does not require the use of the Web &amp; Mobile features, you should make sure not to install them. <br><b><u><br>Re-deploy the Web Server:</u></b><br>Re-deploy the Web Server with the Web Deployment Console (WDC) provided with the PcVue Web back end installation so that the PcVue Web back end and the Web server run the same version.<br><br>\n\n<b><u>Update the PcVue Web back end</u></b><br>Install a patched release of the product, including the Web back end and Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. In case of future updates, credentials will no longer be inserted into the Log files even if the PcVue back end and the Web server are incompatible.<br><br><b><u>Available patches:</u></b><br>Fixed in:<br><ul><li>16.2.4</li></ul>Planned in:<br><ul><li>15.2.11</li></ul>", "base64": false}]}], "datePublic": "2024-12-02T23:00:00.000Z", "references": [{"url": "https://www.pcvue.com/security/#SB2024-6", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\nBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application.", "supportingMedia": [{"type": "text/html", "value": "User credentials (login &amp; password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.<br>By exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "configurations": [{"lang": "en", "value": "Only servers where the Web & Mobile features are deployed are affected.\nThe PcVue Web back end and the Web Server must run different versions.", "supportingMedia": [{"type": "text/html", "value": "Only servers where the Web &amp; Mobile features are deployed are affected.<br>The PcVue Web back end and the Web Server must run different versions.", "base64": false}]}], "providerMetadata": {"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "shortName": "arcinfo", "dateUpdated": "2024-12-09T19:08:15.527Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12057", "state": "PUBLISHED", "dateUpdated": "2024-12-10T21:22:49.837Z", "dateReserved": "2024-12-02T19:57:23.640Z", "assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "datePublished": "2024-12-09T19:08:15.527Z", "assignerShortName": "arcinfo"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end.\nBy exploiting this vulnerability, an attacker could retrieve the credentials of a user by accessing the Log File. Successful exploitation of this vulnerability could lead to unauthorized access to the application."}], "id": "CVE-2024-12057", "lastModified": "2024-12-09T19:15:12.750", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "automatable": "NO", "availabilityRequirements": "NOT_DEFINED", "baseScore": 1.8, "baseSeverity": "LOW", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "CLEAR", "recovery": "USER", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Clear", "version": "4.0", "vulnerabilityResponseEffort": "MODERATE", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "type": "Secondary"}]}, "published": "2024-12-09T19:15:12.750", "references": [{"source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "url": "https://www.pcvue.com/security/#SB2024-6"}], "sourceIdentifier": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932", "type": "Secondary"}]}

{}