An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, this vulnerability could lead to complete account takeover.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://www.gruppotim.it/it/footer/red-team.html |
History
Tue, 29 Oct 2024 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-863 |
Fri, 13 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Italtel
Italtel embrace |
|
Weaknesses | NVD-CWE-noinfo | |
CPEs | cpe:2.3:a:italtel:embrace:1.6.4:*:*:*:*:*:*:* | |
Vendors & Products |
Italtel
Italtel embrace |
|
Metrics |
cvssV3_1
|
Wed, 21 Aug 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 20 Aug 2024 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, this vulnerability could lead to complete account takeover. | |
References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-08-20T00:00:00
Updated: 2024-10-29T20:16:46.914Z
Reserved: 2024-04-05T00:00:00
Link: CVE-2024-31842
Vulnrichment
Updated: 2024-08-21T14:07:10.340Z
NVD
Status : Modified
Published: 2024-08-20T20:15:08.090
Modified: 2024-10-29T21:35:06.340
Link: CVE-2024-31842
Redhat
No data.