Publish Date: Nov. 19, 2018
SummaryWe've identified and fixed a vulnerability in the Spiceworks Community App Center concerning an improper SSL Certificate Verification upon logging in through certain endpoints.
Who’s Affected?At this time we do not believe anyone was impacted by this vulnerability.
DetailsWhen logging in to Spiceworks through the App Center using a certain API, the connection happened over a secure connection. The SSL certificate verification, however, was done in a way that is no longer supported in modern browsers. It used “Common Name” to identify the host name associated with the certificate instead of the now required “Subject Alternative Name”. Some browsers, like Safari, will use unencrypted connections when this happens, while others, like Chrome and Firefox, just display a warning page.
Mitigating Factors...