CVE-2024-6890

Exploit

EPSS 0.11%
Veröffentlicht 07.08.2024 23:15:41
Zuletzt bearbeitet 21.11.2024 09:50:28
Quelle bbf0bd87-ece2-41be-b873-96928e
CVE-Watchlists
Login
Unerledigt
Login

Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 4 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Journyx ≫ Journyx Version11.5.4 SwPlatformlinux

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.306

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-334 Small Space of Random Values

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

CWE-799 Improper Control of Interaction Frequency

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt

Third Party Advisory

Exploit

http://seclists.org/fulldisclosure/2024/Aug/5

https://nvd.nist.gov/vuln/detail/CVE-2024-6890

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6890

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6890

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-6890