CVE-2023-6913 - OpenCVE

A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Imoulife	Imou Life

Configuration 1 [-]

cpe:2.3:a:imoulife:imou_life:6.7.0:*:*:*:*:*:*:*

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-12-19T14:49:48.766Z

Updated: 2023-12-19T15:03:31.788Z

Reserved: 2023-12-18T09:51:26.413Z

Link: CVE-2023-6913

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-19T15:15:09.447

Modified: 2023-12-28T19:03:17.600

Link: CVE-2023-6913

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6913", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-12-18T09:51:26.413Z", "datePublished": "2023-12-19T14:49:48.766Z", "dateUpdated": "2023-12-19T15:03:31.788Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Imou Life app", "vendor": "Imou", "versions": [{"status": "affected", "version": "6.7.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan Adamski (johnny1337.pl)"}], "datePublic": "2023-12-18T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}], "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-12-19T15:03:31.788Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability fixed in later versions. "}], "value": "Vulnerability fixed in later versions. "}], "source": {"discovery": "UNKNOWN"}, "title": "Session Hijacking on Imou Life app", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imoulife:imou_life:6.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "A979E6CE-80D8-4A00-B14B-20BDEF1CD9A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de secuestro de sesi\u00f3n en la aplicaci\u00f3n Imou Life que afecta a la versi\u00f3n 6.7.0. Esta vulnerabilidad podr\u00eda permitir a un atacante secuestrar cuentas de usuario debido a que la funcionalidad del c\u00f3digo QR no filtra correctamente los c\u00f3digos al escanear un nuevo dispositivo y ejecutar WebView directamente sin avisar ni mostrarlo al usuario. Esta vulnerabilidad podr\u00eda desencadenar ataques de phishing."}], "id": "CVE-2023-6913", "lastModified": "2023-12-28T19:03:17.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-12-19T15:15:09.447", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}