Lucene search

TwcertCVELIST:CVE-2024-5996

HistoryJun 14, 2024 - 8:22 a.m.

CVE-2024-5996 Soar Cloud HR Portal - Cleartext Transmission of Sensitive Information

2024-06-1408:22:11

CWE-319

twcert

www.cve.org

soar cloud hr portal

cleartext transmission

sensitive information

intercepted packets

plaintext session

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.3%

JSON

The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. These emails are sent without using an encrypted transmission protocol. If an attacker intercepts the packets, they can obtain the plaintext session information and use it to log into the system.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "HR Portal",
    "vendor": "Soar Cloud",
    "versions": [
      {
        "lessThan": "7.3.2024.0409",
        "status": "affected",
        "version": "earlier",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-7874-b6727-2.html

www.twcert.org.tw/tw/cp-132-7873-5ba4c-1.html

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for CVELIST:CVE-2024-5996