CVE-2021-32543 - OpenCVE

The CTS Web transaction system related to authentication management is implemented incorrectly. After login, remote attackers can manipulate cookies to access other accounts and trade in the stock market with spoofed identity.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sysjust	Cts Web

Configuration 1 [-]

cpe:2.3:a:sysjust:cts_web:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-4759-92eab-1.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2021-05-28T00:00:00

Updated: 2021-07-21T10:25:29

Reserved: 2021-05-10T00:00:00

Link: CVE-2021-32543

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-05-28T08:15:07.137

Modified: 2022-05-27T14:05:53.017

Link: CVE-2021-32543

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": " CTS Web", "vendor": "SysJust", "versions": [{"lessThanOrEqual": "released 2021.3.25", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-05-28T00:00:00", "descriptions": [{"lang": "en", "value": "The CTS Web transaction system related to authentication management is implemented incorrectly. After login, remote attackers can manipulate cookies to access other accounts and trade in the stock market with spoofed identity."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-21T10:25:29", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-4759-92eab-1.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}], "solutions": [{"lang": "en", "value": "Update CTS to version released after 2021.3.25"}], "source": {"advisory": "TVN-202105005", "discovery": "EXTERNAL"}, "title": "SysJust CTS Web - Broken Authentication", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-05-28T07:56:00.000Z", "ID": "CVE-2021-32543", "STATE": "PUBLIC", "TITLE": "SysJust CTS Web - Broken Authentication"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": " CTS Web", "version": {"version_data": [{"version_affected": "<=", "version_value": "released 2021.3.25"}]}}]}, "vendor_name": "SysJust"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The CTS Web transaction system related to authentication management is implemented incorrectly. After login, remote attackers can manipulate cookies to access other accounts and trade in the stock market with spoofed identity."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287 Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-4759-92eab-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-4759-92eab-1.html"}, {"name": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344", "refsource": "CONFIRM", "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}]}, "solution": [{"lang": "en", "value": "Update CTS to version released after 2021.3.25"}], "source": {"advisory": "TVN-202105005", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-32543", "datePublished": "2021-05-28T00:00:00", "dateReserved": "2021-05-10T00:00:00", "dateUpdated": "2021-07-21T10:25:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sysjust:cts_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5DB6391-81C8-47A2-A1F2-1B127E1FFC7E", "versionEndExcluding": "2021.3.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The CTS Web transaction system related to authentication management is implemented incorrectly. After login, remote attackers can manipulate cookies to access other accounts and trade in the stock market with spoofed identity."}, {"lang": "es", "value": "El sistema de transacciones de CTS Web relacionado con la administraci\u00f3n de autenticaci\u00f3n es implementado incorrectamente. Despu\u00e9s de iniciar sesi\u00f3n, atacantes remotos pueden manipular las cookies para acceder a otras cuentas y comerciar en el mercado de valores con identidad falsa"}], "id": "CVE-2021-32543", "lastModified": "2022-05-27T14:05:53.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2021-05-28T08:15:07.137", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4759-92eab-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}