Lucene search

TwcertCVELIST:CVE-2024-5995

HistoryJun 14, 2024 - 7:18 a.m.

CVE-2024-5995 Soar Cloud HR Portal - Insufficient Session Expiration

2024-06-1407:18:32

CWE-613

twcert

www.cve.org

cve-2024-5995

soar cloud hr portal

insufficient session expiration

email notification

embedded session

session expiration

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.3%

JSON

The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. The expiration of the session is not properly configured, remaining valid for more than 7 days and can be reused.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "HR Portal",
    "vendor": "Soar Cloud",
    "versions": [
      {
        "lessThan": "7.3.2024.0409",
        "status": "affected",
        "version": "earlier",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-7872-1c8b4-2.html

www.twcert.org.tw/tw/cp-132-7871-fecf1-1.html

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for CVELIST:CVE-2024-5995