CVE-2024-8888

An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:circutor:q-smt_firmware:1.0.4:*:*:*:*:*:*:*

cpe:2.3:h:circutor:q-smt:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-18 12:15

Updated : 2024-10-01 19:30

NVD link : CVE-2024-8888

Mitre link : CVE-2024-8888

CVE.ORG link : CVE-2024-8888

JSON object : View

Products Affected

circutor

q-smt_firmware
q-smt

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2024-8888", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-18T12:15:03.520", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."}, {"lang": "es", "value": "Un atacante con acceso a la red donde se encuentra CIRCUTOR Q-SMT en su versi\u00f3n de firmware 1.0.4, podr\u00eda robar los tokens utilizados en la web, ya que estos no tienen fecha de caducidad para acceder a la aplicaci\u00f3n web sin restricciones. El robo de tokens puede tener su origen en diferentes m\u00e9todos como capturas de red, informaci\u00f3n web almacenada localmente, etc."}], "lastModified": "2024-10-01T19:30:35.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:circutor:q-smt_firmware:1.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "292A461E-4540-40B6-9366-E78BA7EB5EB9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:circutor:q-smt:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9DA81978-4905-41F2-869B-430A9AEC2EEC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve-coordination@incibe.es"}