提交 #383228: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-307: Improper Restriction of Excessive Authentication Attemp信息

标题Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-307: Improper Restriction of Excessive Authentication Attemp
描述NOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38888: An issue in Horizon Business Services Inc. Caterease Software allows a local attacker to perform a Password Brute Forcing attack due to improper restriction of excessive authentication attempts. Vulnerability Type: CWE-307: Improper Restriction of Excessive Authentication Attempts Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Local Attack Type: CAPEC-49: Password Brute Forcing Vulnerability Summary: Caterease Software lacks adequate controls to prevent excessive authentication attempts, making it susceptible to brute force attacks. The login mechanism in Caterease Software activates the "OK" button only when a correct password is entered, allowing attackers to test passwords without actually sending them to the server. This design flaw enables attackers to systematically try numerous password combinations until they find the correct one, effectively bypassing standard security measures that should limit failed login attempts. By exploiting this vulnerability, attackers can eventually gain unauthorized access to user accounts, leading to significant security risks. Unauthorized access allows attackers to compromise the confidentiality of user data and perform actions within the application that may compromise data integrity. CVSS Base Score: Medium Risk - 6.8 CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Exploitability Metrics Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Impact Metrics Confidentiality (C): High Integrity (I): Low Availability (A): None
用户
 jTag Labs (UID 51246)
提交2024-07-30 16時58分 (2 年前)
管理2024-08-01 14時15分 (2 days later)
状态已接受
VulDB条目273372 [Horizon Business Services Caterease 直到 24.0.1.2405 Login 信息公开]
积分17

Want to stay up to date on a daily basis?

Enable the mail alert feature now!