[原文]The Avaya IP Office Phone Manager, and other products such as the IP Softphone, stores sensitive data in cleartext in a registry key, which allows local and possibly remote users to steal usernames and passwords and impersonate other users via keys such as Avaya\IP400\Generic.
Avaya IP Office Phone Manager Registry Cleartext Auth Credential Storage
Local Access Required
Loss of Confidentiality
IP office phone manager contains a flaw that may lead to an unauthorized password exposure. It is possible for any local user to gain access to encrypted passwords that are stored in the registry, which may lead to a loss of confidentiality.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Restrict access to Windows registry and/or disable "Remember save password" feature.