CVE ID | CVE-2024-11504 |
Publication date | 28 March 2025 |
Vendor | Streamsoft |
Product | Streamsoft Prestiż |
Vulnerable versions | All before 18.1.376.37 |
Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
Report source | Report to CERT Polska |
CVE ID | CVE-2024-7407 |
Publication date | 28 March 2025 |
Vendor | Streamsoft |
Product | Streamsoft Prestiż |
Vulnerable versions | All before 18.2.377 |
Vulnerability type (CWE) | Weak Encoding for Password (CWE-261) |
Report source | Report to CERT Polska |
Description
CERT Polska has received a report about two vulnerabilities in Streamsoft Prestiż software and participated in coordination of their disclosure.
The vulnerability CVE-2024-11504: Input from multiple fields in Streamsoft Prestiż is not sanitized properly, leading to an SQL injection vulnerability, which might be exploited by an authenticated remote attacker. This issue was fixed in 18.1.376.37 version of the software.
The vulnerability CVE-2024-7407: Use of a custom password encoding algorithm in Streamsoft Prestiż software allows decoding or brute forcing users password stored in the database. This issue was fixed in 18.2.377 version of the software.
Credits
We thank Kamil Dąbkowski for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.