CVE-2024-13061

The Electronic Official Document Management System from 2100 Technology has an Authentication Bypass vulnerability. Although the product enforces an IP whitelist for the API used to query user tokens, unauthenticated remote attackers can still deceive the server to obtain tokens of arbitrary users, which can then be used to log into the system.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.chtsecurity.com/news/255984da-6630-4e25-ba9b-5ce6933935a6
https://www.chtsecurity.com/news/ade9e9af-61d0-4e3c-8aa0-e8524ee2cfbc
https://www.twcert.org.tw/en/cp-139-8340-d8b16-2.html
https://www.twcert.org.tw/tw/cp-132-8339-570fa-1.html

Configurations

No configuration.

History

02 Jan 2025, 02:15

Type	Values Removed	Values Added
Summary		(es) Electronic Official Document Management System de 2100 Technology tiene una vulnerabilidad de omisión de autenticación. Aunque el producto aplica una lista blanca de direcciones IP para la API utilizada para consultar tokens de usuarios, los atacantes remotos no autenticados aún pueden engañar al servidor para obtener tokens de usuarios arbitrarios, que luego pueden usarse para iniciar sesión en el sistema.
References		() https://www.chtsecurity.com/news/255984da-6630-4e25-ba9b-5ce6933935a6 - () https://www.chtsecurity.com/news/ade9e9af-61d0-4e3c-8aa0-e8524ee2cfbc -

31 Dec 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-31 12:15

Updated : 2025-01-02 02:15

NVD link : CVE-2024-13061

Mitre link : CVE-2024-13061

CVE.ORG link : CVE-2024-13061

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

9.8 /10