CVE-2020-8791

Exploit

EPSS 0.33%
Veröffentlicht 04.05.2020 14:15:13
Zuletzt bearbeitet 21.11.2024 05:39:26
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary user IDs. Valid and current user IDs are trivial to guess because of the user ID assignment convention used by the app. A remote attacker could harvest email addresses, unsalted MD5 password hashes, owner-assigned lock names, and owner-assigned fingerprint names for any range of arbitrary user IDs.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Oklok Project ≫ Oklok Version3.1.1 SwPlatformiphone_os

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.556

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/fierceoj/ownklok

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-8791

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-8791

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-8791

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-8791