MidnightBSD

Advisories for topquadrant

CVE-2024-45744

TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 3.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N 1.3 1.4

Products Affected

Vendor Product Version
topquadrant topbraid_edg 7.1.3
CVE-2024-45745

TopQuadrant TopBraid EDG before version 8.0.1 allows an authenticated attacker to upload an XML DTD file and execute JavaScript to read local files or access URLs (XXE). Fixed in 8.0.1 (bug fix: TBS-6721).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 3.1 1.4

Products Affected

Vendor Product Version
topquadrant topbraid_edg *