9.8
CVE-2016-6545
- EPSS 3.06%
- Veröffentlicht 13.07.2018 20:29:00
- Zuletzt bearbeitet 21.11.2024 02:56:19
- Quelle cret@cert.org
- CVE-Watchlists
- Unerledigt
LoginiTrack Easy does not use session cookies to maintain sessions and POSTs the users password over HTTPS for each request
Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ieasytec ≫ Itrackeasy Version-
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.06% | 0.859 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CWE-613 Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
https://blog.rapid7.com/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities/
http://www.securityfocus.com/bid/93875
https://www.kb.cert.org/vuls/id/974055