CVE-2026-22543

The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials

CVSS

No CVSS.

References

Link	Resource
https://cds.thalesgroup.com/en

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Las credenciales necesarias para acceder al servidor web del dispositivo se envían en base64 dentro de los encabezados HTTP. Dado que base64 no se considera un cifrado fuerte, un atacante podría interceptar la solicitud web que maneja el inicio de sesión y obtener las credenciales.

07 Jan 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-07 17:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-22543

Mitre link : CVE-2026-22543

CVE.ORG link : CVE-2026-22543

JSON object : View

Products Affected

No product.

CWE

CWE-261

Weak Encoding for Password

{"id": "CVE-2026-22543", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "50b5080a-775f-442e-83b5-926b5ca517b6", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-07T17:16:04.057", "references": [{"url": "https://cds.thalesgroup.com/en", "source": "50b5080a-775f-442e-83b5-926b5ca517b6"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "50b5080a-775f-442e-83b5-926b5ca517b6", "description": [{"lang": "en", "value": "CWE-261"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-261"}]}], "descriptions": [{"lang": "en", "value": "The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials"}, {"lang": "es", "value": "Las credenciales necesarias para acceder al servidor web del dispositivo se env\u00edan en base64 dentro de los encabezados HTTP. Dado que base64 no se considera un cifrado fuerte, un atacante podr\u00eda interceptar la solicitud web que maneja el inicio de sesi\u00f3n y obtener las credenciales."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "50b5080a-775f-442e-83b5-926b5ca517b6"}