CVE-2023-33243

Description

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.

NVD
Severity: HIGH
CVE ID: CVE-2023-33243
CVSS Score: 8.1
CVSS Metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

RedTeamPentesting

PoC for login with password hash in STARFACE

Refrence: GitHub

Description​

Proof Of Concept​

Description

Proof Of Concept