CVE-2024-8888

An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:circutor:q-smt_firmware:1.0.4:*:*:*:*:*:*:*

cpe:2.3:h:circutor:q-smt:-:*:*:*:*:*:*:*

History

01 Oct 2024, 19:30

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~10.0~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:o:circutor:q-smt_firmware:1.0.4:::::::* cpe:2.3:h:circutor:q-smt:-:::::::*
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products - Third Party Advisory
First Time		Circutor Circutor q-smt Circutor q-smt Firmware

20 Sep 2024, 12:30

Type	Values Removed	Values Added
Summary		(es) Un atacante con acceso a la red donde se encuentra CIRCUTOR Q-SMT en su versión de firmware 1.0.4, podría robar los tokens utilizados en la web, ya que estos no tienen fecha de caducidad para acceder a la aplicación web sin restricciones. El robo de tokens puede tener su origen en diferentes métodos como capturas de red, información web almacenada localmente, etc.

18 Sep 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-18 12:15

Updated : 2024-10-01 19:30

NVD link : CVE-2024-8888

Mitre link : CVE-2024-8888

CVE.ORG link : CVE-2024-8888

JSON object : View

Products Affected

circutor

q-smt_firmware
q-smt

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2024-8888", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2024-09-18T12:15:03.520", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."}, {"lang": "es", "value": "Un atacante con acceso a la red donde se encuentra CIRCUTOR Q-SMT en su versi\u00f3n de firmware 1.0.4, podr\u00eda robar los tokens utilizados en la web, ya que estos no tienen fecha de caducidad para acceder a la aplicaci\u00f3n web sin restricciones. El robo de tokens puede tener su origen en diferentes m\u00e9todos como capturas de red, informaci\u00f3n web almacenada localmente, etc."}], "lastModified": "2024-10-01T19:30:35.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:circutor:q-smt_firmware:1.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "292A461E-4540-40B6-9366-E78BA7EB5EB9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:circutor:q-smt:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9DA81978-4905-41F2-869B-430A9AEC2EEC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve-coordination@incibe.es"}