Werk #9554: Use POST for starting backup restore job
Component | Firmware |
Title | Use POST for starting backup restore job |
Date | Nov 24, 2023 |
Level | Trivial Change |
Class | Bug Fix |
Compatibility | Compatible - no manual interaction needed |
Appliance Version | 1.7.0 1.6.9 |
When restoring a backup the passphrase is submitted. The form used the GET method so the passphrase was logged to the apache access log.
We found this vulnerability internally.
Indicators of Compromise: Check /var/log/apache2/access.log for occurences of passphrase
Vulnerability Management: We have rated the issue with a CVSS Score of 3.3 (Low) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. We assigned CVE-2023-6287 to this vulnerability.
Changes: With this Werk the method is changed to POST so it will no longer be logged.