An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, this vulnerability could lead to complete account takeover.
History

Tue, 29 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863

Fri, 13 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Italtel
Italtel embrace
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:italtel:embrace:1.6.4:*:*:*:*:*:*:*
Vendors & Products Italtel
Italtel embrace
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Wed, 21 Aug 2024 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 20 Aug 2024 20:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, this vulnerability could lead to complete account takeover.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-08-20T00:00:00

Updated: 2024-10-29T20:16:46.914Z

Reserved: 2024-04-05T00:00:00

Link: CVE-2024-31842

cve-icon Vulnrichment

Updated: 2024-08-21T14:07:10.340Z

cve-icon NVD

Status : Modified

Published: 2024-08-20T20:15:08.090

Modified: 2024-10-29T21:35:06.340

Link: CVE-2024-31842

cve-icon Redhat

No data.