CVE-2023-31300
Description
Sesami CPTO 6.3.8.6 transmits newly generated passwords in cleartext email, allowing remote attackers to intercept them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sesami CPTO 6.3.8.6 transmits newly generated passwords in cleartext email, allowing remote attackers to intercept them.
Vulnerability
Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) contains a weak password reset mechanism (CWE-640). When a user requests a password reset, the system generates a new password and sends it unencrypted in plaintext via email. The data is transmitted without SSL/TLS protection, making the credentials visible during transit. The affected version is 6.3.8.6 (#718) from 2021-07-06 [1].
Exploitation
An attacker with network access capable of intercepting the target user's email traffic (e.g., via man-in-the-middle on an unencrypted mail relay or compromised SMTP channel) can capture the cleartext password contained in the reset email. No user interaction beyond the legitimate password reset request is required; the attacker simply monitors the email transmission. The attacker does not need prior authentication or any special privileges on the CPTO system [1].
Impact
Successful interception of the cleartext password grants the attacker the ability to authenticate as the victim user, potentially gaining access to sensitive financial and logistical data managed by CPTO. Since the password is delivered via email and remains readable in the user's mailbox, the exposure window is indefinite. The impact is primarily confidentiality and integrity of the application data, with the attacker obtaining the same privileges as the compromised user [1].
Mitigation
The vendor has acknowledged the vulnerability and recommends updating CPTO to the current version (fix released after disclosure). The recommended secure approach is to send an SSL-enabled, time-limited password reset link instead of the password itself. Users should apply the latest CPTO update and ensure that email communications are protected by TLS. No workaround for the vulnerable version is provided beyond upgrading [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Password Reset feature transmits newly generated passwords in unencrypted, cleartext form via email instead of using a secure, time-limited reset link."
Attack vector
An attacker who can intercept email traffic (e.g., via man-in-the-middle on an unencrypted network or by compromising the email transport path) can capture the cleartext password sent by the Password Reset feature [ref_id=1]. The vulnerability is classified as CWE-640 — Weak Password Recovery Mechanism for Forgotten Password [ref_id=1]. No authentication or special privileges are required to trigger the password reset; the attacker only needs to know the target user's email address or username associated with the CPTO account.
Affected code
The advisory does not specify particular functions, files, or code paths. The affected component is the Password Reset feature in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) [ref_id=1].
What the fix does
The advisory recommends that instead of sending the new password in cleartext via email, the system should send an SSL-enabled, time-limited link that directs the user to a secure page where they can set a new password [ref_id=1]. This ensures the actual password is never transmitted over email and the short-lived link reduces the window of exposure even if the email remains in the mailbox. No patch diff is available in the bundle; the vendor has acknowledged the issue and states it is fixed in the current version [ref_id=1].
Preconditions
- networkAttacker must be able to intercept email traffic between the CPTO system and the user (e.g., via man-in-the-middle on an unencrypted email transport or access to the user's mailbox).
- inputAttacker must know the target user's email address or username to trigger the password reset.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.