Newforma Info Exchange Hard-Coded Key Vulnerability Allowing Authentication Bypass

Vulnerability

A vulnerability exists in Newforma Info Exchange (NIX) due to the use of a hard-coded key for encrypting certain query parameters. This key, shared across all NIX installations, can be exploited to bypass authentication and authorization by manipulating encrypted parameter values to specify file download paths. An example of this is the 'qs' parameter in '/DownloadWeb/download.aspx'. While NIX versions 2023.3 and 2024.1 have started to limit the use of hard-coded keys, this vulnerability still poses a risk in other versions.

Impact

Exploitation of this vulnerability could lead to unauthorized file downloads, bypassing authentication and authorization mechanisms.

Added: Oct 9, 2025, 9:33 PM

Updated: Oct 9, 2025, 9:33 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Newforma Info Exchange Hard-Coded Key Vulnerability Allowing Authentication Bypass

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating