Lucene search

Fluid AttacksCVE-2023-6144

HistoryNov 21, 2023 - 12:15 a.m.

CVE-2023-6144

2023-11-2100:15:07

CWE-639

Fluid Attacks

web.nvd.nist.gov

cve-2023-6144

account takeover

user cookie

security vulnerability

nvd

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Dev blog v1.0 allows to exploit an account takeover through the “user” cookie. With this, an attacker can access any user’s session just by knowing their username.

Affected configurations

Nvd

Node

armanidrisidev_blogMatch1.0

VendorProductVersionCPE
armanidrisidev_blog1.0cpe:2.3:a:armanidrisi:dev_blog:1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
armanidrisi	dev_blog	1.0	cpe:2.3:a:armanidrisi:dev_blog:1.0:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Dev Blog",
    "vendor": "Dev Blog",
    "versions": [
      {
        "status": "affected",
        "version": "1.0"
      }
    ]
  }
]

References

fluidattacks.com/advisories/almighty/

github.com/Armanidrisi/devblog/

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Related for CVE-2023-6144