<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Knowage Password Hash Disclosure

Posted by David Chadwick - 05 August, 2019


Knowage Password Hash Disclosure

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Knowage-suite

Vendor site: https://www.knowage-suite.com/site/home/

Product: Knowage

Affected version(s): 6.1.1

Remediated version: 6.4

Severity Rating: Low

Impact: Exposure of sensitive information

Attack vector: Remote with authentication

CVE: CVE-2019-13349


Details: The application provides the password hashes for users when visiting the user administration page. These hashes can be taken offline to crack and obtain the cleartext password. This requires administrator access, so exploitation is unlikely.

The following link provides a proof of concept, it will provide a list of users and their password hash:




Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.

Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more