Lucene search

TwcertCVELIST:CVE-2022-26672

HistoryApr 22, 2022 - 12:00 a.m.

CVE-2022-26672 ASUS WebStorage - Use of Hard-coded Credentials

2022-04-2200:00:00

CWE-798

twcert

www.cve.org

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

9.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.5%

JSON

ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information.

CNA Affected

[
  {
    "platforms": [
      "Android"
    ],
    "product": "WebStorage",
    "vendor": "ASUS",
    "versions": [
      {
        "lessThanOrEqual": "3.10.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

9.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.5%

JSON

Related for CVELIST:CVE-2022-26672