The site-locking implementation in the SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance relies on a list of server domain names to restrict execution of ActiveX controls, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a DNS hijacking attack.
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
| Link | Tags |
|---|---|
| http://www.kb.cert.org/vuls/id/602801 | us government resource third party advisory patch |
| http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html | |
| http://www.wintercore.com/downloads/rootedcon_0day.pdf | exploit |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/58608 | vdb entry |
| http://www.securityfocus.com/archive/1/511176/100/0/threaded | mailing list |
| http://www.consona.com/Content/CRM/Support/SecurityBulletin_April2010.pdf | patch vendor advisory |