Lucene search

INCIBECVE-2024-0580

HistoryJan 18, 2024 - 9:15 a.m.

CVE-2024-0580

2024-01-1809:15:07

CWE-639

INCIBE

web.nvd.nist.gov

cve-2024-0580

idmsistemas

qsige

api

vulnerability

information security

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

37.2%

JSON

Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter ‘/qsige.locator/quotePrevious/centers/X’, where X supports values 1,2,3, etc.

Affected configurations

Nvd

Vulners

Node

idmsistemassinergiaMatch2.0

VendorProductVersionCPE
idmsistemassinergia2.0cpe:2.3:a:idmsistemas:sinergia:2.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
idmsistemas	sinergia	2.0	cpe:2.3:a:idmsistemas:sinergia:2.0:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Sinergia, Sinergia 2.0, and Sinergia Corporativo",
    "vendor": "IDMSistemas",
    "versions": [
      {
        "status": "affected",
        "version": "2.0"
      }
    ]
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

37.2%

JSON

Related for CVE-2024-0580