CVE-2023-6144 Vulnerability Details

  /     /     /  

CVE-2023-6144 Metadata Quick Info

CVE Published: 20/11/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: Fluid Attacks | Vendor: Dev Blog | Product: Dev Blog
Status : PUBLISHED

---

CVE-2023-6144 Description

Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user\'s session just by knowing their username.

Metrics

CVSS Version: 3.1 | Base Score: 9.1 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-639
CWE Name: CWE-639 Authorization Bypass Through User-Controlled Key
Source: Dev Blog

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-153
CAPEC Description: CAPEC-153 Input Data Manipulation


Source: NVD (National Vulnerability Database).