Submit #383228: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-307: Improper Restriction of Excessive Authentication Attempinfo

TitelHorizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-307: Improper Restriction of Excessive Authentication Attemp
BeschreibungNOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38888: An issue in Horizon Business Services Inc. Caterease Software allows a local attacker to perform a Password Brute Forcing attack due to improper restriction of excessive authentication attempts. Vulnerability Type: CWE-307: Improper Restriction of Excessive Authentication Attempts Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Local Attack Type: CAPEC-49: Password Brute Forcing Vulnerability Summary: Caterease Software lacks adequate controls to prevent excessive authentication attempts, making it susceptible to brute force attacks. The login mechanism in Caterease Software activates the "OK" button only when a correct password is entered, allowing attackers to test passwords without actually sending them to the server. This design flaw enables attackers to systematically try numerous password combinations until they find the correct one, effectively bypassing standard security measures that should limit failed login attempts. By exploiting this vulnerability, attackers can eventually gain unauthorized access to user accounts, leading to significant security risks. Unauthorized access allows attackers to compromise the confidentiality of user data and perform actions within the application that may compromise data integrity. CVSS Base Score: Medium Risk - 6.8 CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Exploitability Metrics Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Impact Metrics Confidentiality (C): High Integrity (I): Low Availability (A): None
Benutzer
 jTag Labs (UID 51246)
Einreichung30.07.2024 16:58 (vor 2 Jahren)
Moderieren01.08.2024 14:15 (2 days later)
StatusAkzeptiert
VulDB Eintrag273372 [Horizon Business Services Caterease bis 24.0.1.2405 Login Information Disclosure]
Punkte17

ZurückÜbersichtWeiter

Do you need the next level of professionalism?

Upgrade your account now!