Search criteria
1 vulnerability by finrota
CVE-2024-6400 (GCVE-0-2024-6400)
Vulnerability from cvelistv5 – Published: 2024-10-04 11:12 – Updated: 2026-06-03 12:49
VLAI
Title
Cleartext Storage of Username and Password in Finrota's Netahsilat
Summary
Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations.
This issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.usom.gov.tr/bildirim/tr-24-1611 | government-resourcebroken-link |
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Finrota | Netahsilat |
Unaffected:
1.23.11
(custom)
Unaffected: 1.23.08 (custom) Unaffected: 1.23.01 (custom) Unaffected: 1.21.10 (custom) Unaffected: 1.24.03 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T13:59:47.517218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T13:59:57.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Netahsilat",
"vendor": "Finrota",
"versions": [
{
"status": "unaffected",
"version": "1.23.11",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.23.08",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.23.01",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.21.10",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.24.03",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kaan ATMACA"
},
{
"lang": "en",
"type": "sponsor",
"value": "Secure Future Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations.\u003cp\u003e\nThis issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03.\n\n\u003c/p\u003e"
}
],
"value": "Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations.\n\n\nThis issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-183",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-183 IMAP/SMTP Command Injection"
}
]
},
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202 Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:49:26.257Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource",
"broken-link"
],
"url": "https://www.usom.gov.tr/bildirim/tr-24-1611"
},
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1611"
}
],
"source": {
"advisory": "TR-24-1611",
"defect": [
"TR-24-1611"
],
"discovery": "UNKNOWN"
},
"title": "Cleartext Storage of Username and Password in Finrota\u0027s Netahsilat",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2024-6400",
"datePublished": "2024-10-04T11:12:30.441Z",
"dateReserved": "2024-06-28T11:59:51.082Z",
"dateUpdated": "2026-06-03T12:49:26.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}