Intelbras InControl Insecure Storage of Credentials Vulnerability

A vulnerability exists in Intelbras InControl versions through 2.21.59, specifically within an unknown function on the Dispositivos Edição Page. The issue arises from the improper storage of communication password credentials, which can be accessed remotely. This vulnerability has been publicly disclosed and is reportedly being addressed in a future release.

Impact

Exploitation of this vulnerability allows for the unauthorized disclosure of stored password credentials, which could lead to unauthorized access or manipulation of related components.

Reproduction

To reproduce this vulnerability, an administrator must access the Dispositivos Edição Page and register external devices or addresses, including a communication password. Once the password is saved, it can be viewed in an insecure format (type='password') on the configuration screen. An attacker with administrative access can change the input type to 'text', exposing the password in plain view.