CVE-2024-0580 - OpenCVE

Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Idmsistemas	Sinergia

Configuration 1 [-]

cpe:2.3:a:idmsistemas:sinergia:2.0:*:*:*:*:*:*:*

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-01-18T08:47:16.711Z

Updated: 2024-01-18T08:47:16.711Z

Reserved: 2024-01-16T08:06:10.223Z

Link: CVE-2024-0580

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-18T09:15:07.960

Modified: 2024-01-26T18:51:15.993

Link: CVE-2024-0580

JSON object: View

Redhat Information

No data.

CWE

CWE-639

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-0580", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-01-16T08:06:10.223Z", "datePublished": "2024-01-18T08:47:16.711Z", "dateUpdated": "2024-01-18T08:47:16.711Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Sinergia, Sinergia 2.0, and Sinergia Corporativo", "vendor": "IDMSistemas", "versions": [{"status": "affected", "version": "2.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Oscar Atienza"}], "datePublic": "2024-01-16T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc."}], "value": "Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-01-18T08:47:16.711Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the 'locator' module of the affected product. A patch was applied to this module on June 23, 2023. Please refer to the link (<a target=\"_blank\" rel=\"nofollow\" href=\"https://web/qsige.localizador/about\">https://web/qsige.localizador/about</a>) for details. If you are using an older version, you can contact IDM to upgrade your system."}], "value": "Update the 'locator' module of the affected product. A patch was applied to this module on June 23, 2023. Please refer to the link ( https://web/qsige.localizador/about https://web/qsige.localizador/about ) for details. If you are using an older version, you can contact IDM to upgrade your system."}], "source": {"discovery": "UNKNOWN"}, "title": "Omission of key-controlled authorization in Qsige", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:idmsistemas:sinergia:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "302C379E-019F-4A7B-83F5-3F52CE5C4D05", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc."}, {"lang": "es", "value": "Omisi\u00f3n de autorizaci\u00f3n de clave controlada por el usuario en la plataforma IDMSistemas, afectando el producto QSige. Esta vulnerabilidad permite a un atacante extraer informaci\u00f3n confidencial de la API realizando una solicitud al par\u00e1metro '/qsige.locator/quotePrevious/centers/X', donde X admite los valores 1,2,3, etc."}], "id": "CVE-2024-0580", "lastModified": "2024-01-26T18:51:15.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-01-18T09:15:07.960", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}