CVE-2006-3785 - Symantec pcAnywhere 12.5 obfuscates the passwords in a GUI textbox with asterisks but does not encry

CVE-2006-3785

Summary

Symantec pcAnywhere 12.5 obfuscates the passwords in a GUI textbox with asterisks but does not encrypt them in the associated .cif (aka caller or CallerID) file, which allows local users to obtain the passwords from the window using tools such as Nirsoft Asterwin.

References

http://securityreason.com/securityalert/1261
http://www.digitalbullets.org/?p=3
http://www.securityfocus.com/archive/1/440448/100/0/threaded

Vulnerable Configurations

cpe:2.3:a:symantec:pcanywhere:12.5:*:*:*:*:*:*:*
cpe:2.3:a:symantec:pcanywhere:12.5:*:*:*:*:*:*:*

CVSS

Base:	2.1 (as of 17-10-2018 - 21:30)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:L/AC:L/Au:N/C:P/I:N/A:N

refmap via4

bugtraq	20060718 PcAnywhere > 12 Local Privilege Escalation
misc	http://www.digitalbullets.org/?p=3
sreason	1261

Last major update

17-10-2018 - 21:30

Published

24-07-2006 - 12:19

Last modified

17-10-2018 - 21:30