<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Knowage Password Hash Disclosure

Posted by David Chadwick - 05 August, 2019


Knowage Password Hash Disclosure

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Knowage-suite

Vendor site: https://www.knowage-suite.com/site/home/

Product: Knowage

Affected version(s): 6.1.1

Remediated version: 6.4

Severity Rating: Low

Impact: Exposure of sensitive information

Attack vector: Remote with authentication

CVE: CVE-2019-13349


Details: The application provides the password hashes for users when visiting the user administration page. These hashes can be taken offline to crack and obtain the cleartext password. This requires administrator access, so exploitation is unlikely.

The following link provides a proof of concept, it will provide a list of users and their password hash:




Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.

Recent Posts

5 DDoS Trends to Look Out For

read more

CPS 234: An Overview of What You Need to Know

read more

Get Greater Coverage Between Manual Penetration Tests by Adopting an Automated Solution

read more