[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
When a backup file is created through the web interface, information on
all users, including passwords, can be found in cleartext in the
backup file. An attacker capable of accessing the web interface
can create the backup file.

------------------------------------------

[Additional Information]
Note that this means the application passwords are also stored on the device in plain text, otherwise they could not be placed in the backup file in this manner.

Note that during normal functional use, the backup file is
not created.

and then use other vulnerabilities
to obtain access to the backup file, including the user's passwords.

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
Svakom

------------------------------------------

[Affected Product Code Base]
Siime Eye - 14.1.00000001.3.330.0.0.3.14

------------------------------------------

[Affected Component]
Siime Eye

------------------------------------------

[Attack Type]
Context-dependent

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
A backup file must be found or created by an attacker in order to exploit this vulnerability.

------------------------------------------

[Reference]
N/A

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond
Use CVE-2020-11918.