CVE-2025-8307
Client-Side Password Decoding Vulnerability in Asseco InfoMedica
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asseco_infomedica | asseco_infomedica | 4.50.1 |
| asseco_infomedica | asseco_infomedica | 5.38.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-257 | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Asseco InfoMedica to version 4.50.1 or 5.38.0 or later, where the issue has been fixed.
Can you explain this vulnerability to me?
This vulnerability involves the Asseco InfoMedica software storing user passwords in an encoded format in its database. However, the encoding algorithm is embedded in the client-side part of the software, which allows an attacker who obtains the encoded passwords to decode them easily.
How can this vulnerability impact me? :
If an attacker obtains the encoded passwords, they can decode them and potentially gain unauthorized access to user accounts, compromising both administrative and medical data managed by the software.