Integria IMS incorrect authorization

Posted date 06/10/2021
5 - Critical
Affected Resources

Integria IMS version 5.0.92.


INCIBE has coordinated the publication of a vulnerability in Integria IMS, with the internal code INCIBE-2021-0405, which has been discovered by @nag0mez (special mention to @_Barriuso).

CVE-2021-3833 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.


This vulnerability has been solved in Integria IMS 5.0 93.


Integria IMS login check uses a loose comparator ("==") to compare the MD5 hash of the password provided by the user and the MD5 hash stored in the database.

An attacker with a specific formatted password could exploit this vulnerability in order to login in the system with different passwords.

This vulnerability has been solved in Integria IMS 5.0 93.

CWE-697: Incorrect Comparison.


08/04/2021 - Researchers discovery.
09/04/2021 - Researchers contact with INCIBE.
20/05/2021 - Integria IMS confirms that the fix version and the release software patch have been published (Security Patch).
06/10/2021 - The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list