Knowage Password Hash Disclosure
Release date: 29/07/2019
Last update: 29/07/2019
Vendor site: https://www.knowage-suite.com/site/home/
Affected version(s): 6.1.1
Remediated version: 6.4
Severity Rating: Low
Impact: Exposure of sensitive information
Attack vector: Remote with authentication
Details: The application provides the password hashes for users when visiting the user administration page. These hashes can be taken offline to crack and obtain the cleartext password. This requires administrator access, so exploitation is unlikely.
The following link provides a proof of concept, it will provide a list of users and their password hash:
Recommendation: Update to the latest patch.
Discovered by: David Chadwick from Content Security Pty. Ltd.