Lucene search

[email protected]CVE-2024-5996

HistoryJun 14, 2024 - 9:15 a.m.

CVE-2024-5996

2024-06-1409:15:11

CWE-319

[email protected]

web.nvd.nist.gov

notification emails

soar cloud

hr portal

encryption

plaintext session information

intercepts packets

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.3%

JSON

The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. These emails are sent without using an encrypted transmission protocol. If an attacker intercepts the packets, they can obtain the plaintext session information and use it to log into the system.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "HR Portal",
    "vendor": "Soar Cloud",
    "versions": [
      {
        "lessThan": "7.3.2024.0409",
        "status": "affected",
        "version": "earlier",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-7874-b6727-2.html

www.twcert.org.tw/tw/cp-132-7873-5ba4c-1.html

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for CVE-2024-5996

vulnrichment1 cvelist1 nvd1