ARC Informatique PcVue
Summary
| CVE | CVE-2022-2569 |
|---|---|
| State | PUBLISHED |
| Assigner | icscert |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-08-24 16:15:11 UTC |
| Updated | 2026-07-09 18:32:08 UTC |
| Description | The affected device stores sensitive information in cleartext, which may allow an authenticated user to access session data stored in the OAuth database belonging to legitimate users |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.001300000 probability, percentile 0.030290000 (date 2026-07-13)
Problem Types: CWE-312 | CWE-312 CWE-312 Cleartext Storage of Sensitive Information
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | ARC Informatique | PcVue 12 OAuth Web Service Configuration | affected All 12.0.27 custom | Not specified |
| CNA | ARC Informatique | PcVue 15 OAuth Web Service Configuration | affected All | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| ARC Informatique PcVue | CISA | af854a3a-2127-422b-91ae-364da2661108 | www.cisa.gov | Patch, Third Party Advisory, US Government Resource |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: An unnamed researcher reported this vulnerability to ARC Informatique. (en)
Additional Advisory Data
Solutions
CNA: PcVue 12: The fix is available in Maintenance release 12.0.27 After installing the fix, users should update the Web Deployment Console (WDC) and re-deploy the Web Server. All users using the affected component should install a patched release of the WDC and re-deploy the Web Server. This will allow the WDC to update and protect the database connection string, including clearing any sensitive information stored in the web.config file.
Workarounds
CNA: ARC Informatique has identified additional steps users can apply to reduce the risk: Uninstall the Web Server All users not using the affected component should uninstall the web server. The OAuth web service and its configuration are part of the Web Server for PcVue. If the system does not require Web & Mobile features, then users should not install them. Users should contact ARC Informatique’s PcVue Solutions for assistance with the above steps. For additional information, visit the public ARC Informatique security alert page.
CNA: PcVue 15 does not have a fix released yet, but is in the works.
Legacy QID Mappings
- 591235 ARC Informatique PcVue (Update A) Sensitive Information Disclosure Vulnerability (ICSA-22-235-01)