Description
Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data.

This issue affects OpenConcerto: 1.7.5.
Published: 2026-05-04
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenConcerto performs plaintext storage of user passwords, a weakness classified as CWE‑256. An attacker who obtains access to the application’s storage files can directly read these credentials and any other embedded sensitive data, potentially leading to user account compromise and lateral movement within the system. The description indicates that the vulnerability allows the retrieval of embedded sensitive data, meaning that confidentiality and integrity of stored credentials are lost.

Affected Systems

Vendors: ILM Informatique. Product: OpenConcerto. Version affected: 1.7.5.

Risk and Exploitability

The CVSS score of 4.8 indicates a medium severity with limited impact from the data provided. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited exploitation activity reported to date. The attack vector is not explicitly described; it is inferred to require access to the system’s configuration or data storage files, which could be achieved locally or remotely if the application is exposed to network interfaces. The weakness allows direct retrieval of plaintext passwords, providing an attacker with user credentials and potentially other sensitive information stored within the same files.

Generated by OpenCVE AI on May 4, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a secure OpenConcerto release that hashes passwords instead of storing them in plaintext.
  • Remove or update any configuration files that still contain plaintext passwords, re‑importing credentials securely after the upgrade.
  • Restrict file‑system permissions for configuration directories so that only trusted administrators can view or modify them.

Generated by OpenCVE AI on May 4, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Ilm Informatique
Ilm Informatique openconcerto
Vendors & Products Ilm Informatique
Ilm Informatique openconcerto

Mon, 04 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Plaintext Password Storage in OpenConcerto Enabling Sensitive Data Retrieval

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data. This issue affects OpenConcerto: 1.7.5.
Weaknesses CWE-256
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ilm Informatique Openconcerto
cve-icon MITRE

Status: PUBLISHED

Assigner: TCS-CERT

Published:

Updated: 2026-05-04T15:31:41.588Z

Reserved: 2026-04-17T09:34:00.554Z

Link: CVE-2026-6500

cve-icon Vulnrichment

Updated: 2026-05-04T15:31:38.027Z

cve-icon NVD

Status : Received

Published: 2026-05-04T15:16:05.033

Modified: 2026-05-04T15:16:05.033

Link: CVE-2026-6500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:44:11Z

Weaknesses