CVE-2023-36483

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-36483
Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android  version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote attackers to retrieve sensitive data  including customer data, security system status, and event history.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.corporate.carrier.com/product-security/advisories-resources/
https://www.corporate.carrier.com/product-security/advisories-resources/
Configurations

No configuration.

History

21 Nov 2024, 08:09

Type Values Removed Values Added
References () https://www.corporate.carrier.com/product-security/advisories-resources/ - () https://www.corporate.carrier.com/product-security/advisories-resources/ -

21 Mar 2024, 22:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
Summary (en) An authorization bypass was discovered in the Carrier MASmobile Classic application through 1.16.18 for Android, MASmobile Classic app through 1.7.24 for iOS, and MAS ASP.Net Services through 1.9. It can be achieved via session ID prediction, allowing remote attackers to retrieve sensitive data including customer data, security system status, and event history. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The affected products cannot simply be updated; they must be removed, but can be replaced by other Carrier software as explained in the Carrier advisory. (en) Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android  version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote attackers to retrieve sensitive data  including customer data, security system status, and event history.
References
  • {'url': 'https://www.corporate.carrier.com/Images/CARR-PSA-MASMobile%20Classic%20Authorization%20Bypass-012-0623_tcm558-203964.pdf', 'source': 'productsecurity@carrier.com'}
  • () https://www.corporate.carrier.com/product-security/advisories-resources/ -
CWE CWE-639

21 Mar 2024, 02:48

Type Values Removed Values Added
Summary
  • (es) Se descubrió una omisión de autorización en la aplicación Carrier MASmobile Classic hasta la versión 1.16.18 para Android, la aplicación MASmobile Classic hasta la 1.7.24 para iOS y los servicios MAS ASP.Net hasta la 1.9. Esto se puede lograr mediante la predicción de ID de sesión, lo que permite a atacantes remotos recuperar datos confidenciales, incluidos datos de clientes, estado del sistema de seguridad e historial de eventos. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. Los productos afectados no pueden simplemente actualizarse; deben eliminarse, pero pueden reemplazarse por otro software de Carrier como se explica en el aviso de Carrier.

16 Mar 2024, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-16 05:15

Updated : 2024-11-21 08:09

NVD link : CVE-2023-36483

Mitre link : CVE-2023-36483

CVE.ORG link : CVE-2023-36483

JSON object : View

Products Affected

No product.

CWE
CWE-639

Authorization Bypass Through User-Controlled Key