Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2024-11504 and CVE-2024-7407) found in Streamsoft Prestiż software.
Analysis Summary
# Vulnerabilities Summary: Streamsoft Prestiż Software Flaws
This summary details two vulnerabilities reported against Streamsoft Prestiż software, focusing on SQL Injection and weak password encoding.
## CVE Details
- CVE ID: CVE-2024-11504
- CVSS Score: Not provided in source (Severity inferred as High due to SQLi)
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
- CVE ID: CVE-2024-7407
- CVSS Score: Not provided in source (Severity inferred as Medium/High due to password exposure risk)
- CWE: CWE-261 (Weak Encoding for Password)
## Affected Systems
- Products: Streamsoft Prestiż
- Versions:
- For CVE-2024-11504: All versions before 18.1.376.37
- For CVE-2024-7407: All versions before 18.2.377
- Configurations: No specific external configurations mentioned, but exploitation for CVE-2024-11504 requires authentication.
## Vulnerability Description
**CVE-2024-11504 (SQL Injection):** Input supplied via multiple fields within the Streamsoft Prestiż application is not properly sanitized. This allows an authenticated remote attacker to inject malicious SQL commands into database queries.
**CVE-2024-7407 (Weak Password Encoding):** The software employs a custom password encoding algorithm. This weakness makes user passwords stored in the database susceptible to decoding or brute-forcing attacks.
## Exploitation
- Status: Information on active exploitation or PoC availability is **not mentioned** in the source. (Assume default status based on typical reporting disclosure unless specified otherwise).
- Complexity: CVE-2024-11504 requires *authentication*.
- Attack Vector: CVE-2024-11504 is reported as being exploitable by a *remote attacker*.
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2024-11504 (SQLi) | High (Data exfiltration) | High (Data modification/deletion) | Potentially High |
| CVE-2024-7407 (Weak Encoding) | High (Account takeover risk) | Medium (Related to unauthorized access) | Low |
## Remediation
### Patches
- For CVE-2024-11504: Update to version **18.1.376.37** or later.
- For CVE-2024-7407: Update to version **18.2.377** or later.
### Workarounds
- No specific workarounds were detailed in the provided source summary. For CVE-2024-11504, limiting access to authenticated users may reduce immediate remote risk, though this does not mitigate the underlying flaw.
## Detection
- Detection strategies are **not explicitly provided** in the source material.
- **General Indicators of Compromise (IoCs) for SQLi (CVE-2024-11504):** Unusual database query logs, high volumes of unexpected traffic from authenticated user sessions, or application errors related to database syntax.
- **General Mitigation:** Monitor application logs for non-standard input patterns in user-facing fields.
## References
- Vendor advisories: None specified, rely on CERT Polska disclosure coordination.
- Relevant links:
- CERT Polska coordinated vulnerability disclosure process: hXXps://cert.pl/en/cvd/