CVE Vulnerabilities

CVE-2020-14930

Cleartext Transmission of Sensitive Information

Published: Jun 19, 2020 | Modified: Nov 21, 2024
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

An issue was discovered in BT CTROMS Terminal OS Port Portal CT-464. Account takeover can occur because the password-reset feature discloses the verification token. Upon a getverificationcode.jsp request, this token is transmitted not only to the registered phone number of the user account, but is also transmitted to the unauthenticated HTTP client.

Weakness

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Affected Software

Name Vendor Start Version End Version
Bt_ctroms_terminal Bt_ctroms_terminal_project - (including) - (including)

Potential Mitigations

References