CVE-2024-5996

{"id": "CVE-2024-5996", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-06-14T09:15:11.010", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-7874-b6727-2.html", "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-7873-5ba4c-1.html", "source": "twcert@cert.org.tw"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. These emails are sent without using an encrypted transmission protocol. If an attacker intercepts the packets, they can obtain the plaintext session information and use it to log into the system."}, {"lang": "es", "value": "Los correos electr\u00f3nicos de notificaci\u00f3n enviados por Soar Cloud HR Portal contienen un enlace con una sesi\u00f3n integrada. Estos correos electr\u00f3nicos se env\u00edan sin utilizar un protocolo de transmisi\u00f3n cifrado. Si un atacante intercepta los paquetes, puede obtener la informaci\u00f3n de la sesi\u00f3n en texto plano y utilizarla para iniciar sesi\u00f3n en el sistema."}], "lastModified": "2024-06-17T12:42:04.623", "sourceIdentifier": "twcert@cert.org.tw"}