Full Report
Missing Password Field Masking vulnerability (CVE-2025-13175) has been found in Ysoft SafeQ 6 software.
Analysis Summary
# Vulnerability: Missing Password Field Masking in Ysoft SafeQ 6
## CVE Details
- CVE ID: CVE-2025-13175
- CVSS Score: Not specified (Severity unknown based on provided text)
- CWE: CWE-549 (Missing Password Field Masking)
## Affected Systems
- Products: Ysoft SafeQ 6
- Versions: All versions before MU106
- Configurations: Affects customers with a password-protected Workflow Connector.
## Vulnerability Description
The vulnerability exists in the Y Soft SafeQ 6 software where the Workflow Connector password field is rendered in the user interface without proper masking. This allows an administrator with UI access to view the cleartext password value by using browser developer or inspection tools.
## Exploitation
- Status: Details on active exploitation or PoC availability are not provided in the text.
- Complexity: Likely Low for an administrator already possessing UI access.
- Attack Vector: Local/Interface (Requires UI access to the administrative interface).
## Impact
- Confidentiality: High (Exposure of sensitive credentials/passwords).
- Integrity: Unknown (If the compromised password grants elevated access).
- Availability: Unknown
## Remediation
### Patches
- The fix is expected in Ysoft SafeQ 6 version **MU106** and later.
### Workarounds
- No specific workarounds are detailed in the source text, but limiting administrative UI access could reduce exposure.
## Detection
- Detection methods focus on monitoring access to the SafeQ 6 Workflow Connector configuration interface by administrators and unusual activity within the browser developer tools related to password fields.
## References
- Vendor Advisories: Not explicitly linked, but patch information is tied to version MU106.
- Relevant Links:
- CERT Polska report page: hxxps://cert.pl/en/news/
- CVD process information: hxxps://cert.pl/en/cvd/