{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-48392", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2023-11-16T04:08:17.028Z", "datePublished": "2023-12-15T09:20:19.843Z", "dateUpdated": "2024-01-17T07:23:16.501Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WebITR", "vendor": "Kaifa Technology", "versions": [{"status": "affected", "version": "2_1_0_19"}]}], "datePublic": "2023-12-15T09:24:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator\u2019s account, to execute login account\u2019s permissions, and obtain relevant information."}], "value": "Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator\u2019s account, to execute login account\u2019s permissions, and obtain relevant information."}], "impacts": [{"capecId": "CAPEC-70", "descriptions": [{"lang": "en", "value": "CAPEC-70 Try Common or Default Usernames and Passwords"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-01-17T07:23:16.501Z"}, "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7622-57e5f-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nUpdate to 2_1_0_23 or latest version.\n\n<br>"}], "value": "\nUpdate to 2_1_0_23 or latest version.\n\n\n"}], "source": {"advisory": "TVN-202312019", "discovery": "EXTERNAL"}, "title": "Kaifa Technology WebITR - Hard-coded Cryptographic Key", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kaifa:webitr_attendance_system:2.1.0.23:*:*:*:*:*:*:*", "matchCriteriaId": "0B300C11-0A7F-409F-9D3C-3CE08E366D75", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator\u2019s account, to execute login account\u2019s permissions, and obtain relevant information."}, {"lang": "es", "value": "Kaifa Technology WebITR es un sistema de asistencia en l\u00ednea, tiene una vulnerabilidad al usar una clave de cifrado codificada. Un atacante remoto no autenticado puede generar un par\u00e1metro de token v\u00e1lido y aprovechar esta vulnerabilidad para acceder al sistema con una cuenta de usuario arbitraria, incluida la cuenta de administrador, para ejecutar los permisos de la cuenta de inicio de sesi\u00f3n y obtener informaci\u00f3n relevante."}], "id": "CVE-2023-48392", "lastModified": "2023-12-22T15:46:03.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2023-12-15T10:15:07.590", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7622-57e5f-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}

{}