Skip to main content

ILM OpenConcerto CVE-2026-6500

| EUVDEUVD-2026-26971 MEDIUM
Plaintext Storage of a Password (CWE-256)
2026-05-04 TCS-CERT
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 17:15 vuln.today
CVSS changed
May 04, 2026 - 15:22 NVD
4.8 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 15:00 euvd
EUVD-2026-26971
Analysis Generated
May 04, 2026 - 15:00 vuln.today
CVE Published
May 04, 2026 - 14:16 nvd
MEDIUM 4.8

DescriptionCVE.org

Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data.

This issue affects OpenConcerto: 1.7.5.

AnalysisAI

ILM Informatique OpenConcerto 1.7.5 stores sensitive passwords in plaintext, allowing authenticated local users to retrieve embedded credentials with low complexity. The vulnerability enables information disclosure of authentication data accessible via local file access, confirmed by CISA SSVC framework as having partial technical impact but no evidence of active exploitation.

Technical ContextAI

OpenConcerto is a business management software suite that likely stores database credentials, API keys, or service account passwords in plaintext configuration files or application memory accessible to authenticated local users. CWE-256 (Plaintext Storage of Password) indicates the root cause is failure to encrypt or hash sensitive credentials before storage. The CPE notation indicates this affects all configurations of OpenConcerto version 1.7.5 across all platforms and deployment modes. Attackers with local access and user-level privileges can read sensitive data directly from the file system, environment variables, or application logs without requiring elevation or additional attack steps.

RemediationAI

Upgrade ILM OpenConcerto to a patched version released after 1.7.5 if available from the vendor's official repository at openconcerto.org. If an immediate patch is unavailable, implement compensating controls: (1) Restrict file system access to OpenConcerto configuration and data directories using POSIX permissions (chmod 600 for credential files, restrict to owner), (2) Deploy host-based access controls (SELinux, AppArmor) to prevent unauthorized processes from reading configuration files, (3) Encrypt sensitive credentials at rest using application-level encryption or a secrets management solution before OpenConcerto deployment (environment variables, HashiCorp Vault), (4) Audit access logs for unauthorized reads of credential storage locations. Note that file-system-level access controls are OS-dependent and may impact backup/recovery workflows - test mitigations in non-production first. Consult the vendor advisory at openconcerto.org/fr/version-1.7.html for official patch release dates and version numbers.

Share

CVE-2026-6500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy