Lucene search

INCIBECVELIST:CVE-2024-0580

HistoryJan 18, 2024 - 8:47 a.m.

CVE-2024-0580 Omission of key-controlled authorization in Qsige

2024-01-1808:47:16

CWE-639

INCIBE

www.cve.org

cve

omission

authorization

qsige

vulnerability

api

information

extraction

idmsistemas

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

37.2%

JSON

Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter ‘/qsige.locator/quotePrevious/centers/X’, where X supports values 1,2,3, etc.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Sinergia, Sinergia 2.0, and Sinergia Corporativo",
    "vendor": "IDMSistemas",
    "versions": [
      {
        "status": "affected",
        "version": "2.0"
      }
    ]
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

37.2%

JSON

Related for CVELIST:CVE-2024-0580