CVE-2023-4099 - Vulnerability Details - OpenCVE

Description

The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.

Published: 2023-10-03

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

QSige de IDM Sistemas

QSige

unaffected

Version	Status	Constraints
`3.0.0.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:qsige:qsige:3.0.0.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

The reported vulnerabilities are fixed in the latest version of the affected product.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-53989	The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige

History

No history.

Subscriptions

Qsige Qsige

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-10-03T11:06:48.726Z

Updated: 2024-09-06T14:11:28.247Z

Reserved: 2023-08-02T11:53:03.266Z

Link: CVE-2023-4099

Vulnrichment

Updated: 2024-08-02T07:17:12.142Z

NVD

Status : Modified

Published: 2023-10-03T12:15:10.843

Modified: 2024-11-21T08:34:23.400

Link: CVE-2023-4099

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-639

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4099", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-08-02T11:53:03.266Z", "datePublished": "2023-10-03T11:06:48.726Z", "dateUpdated": "2024-09-06T14:11:28.247Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QSige", "vendor": "QSige de IDM Sistemas", "versions": [{"status": "affected", "version": "3.0.0.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Pablo Arias Rodr\u00edguez, Jorge Alberto Palma Reyes and Rub\u00e9n Barber\u00e1 P\u00e9rez"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application."}], "value": "The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-03T11:06:48.726Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The reported vulnerabilities are fixed in the latest version of the affected product."}], "value": "The reported vulnerabilities are fixed in the latest version of the affected product."}], "source": {"discovery": "EXTERNAL"}, "title": "Multiple vulnerabilities in IDM Sistemas QSige", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.142Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-06T14:07:49.481288Z", "id": "CVE-2023-4099", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T14:11:28.247Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.142Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4099", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-06T14:07:49.481288Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T14:11:20.978Z"}}], "cna": {"title": "Multiple vulnerabilities in IDM Sistemas QSige", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Pablo Arias Rodr\u00edguez, Jorge Alberto Palma Reyes and Rub\u00e9n Barber\u00e1 P\u00e9rez"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QSige de IDM Sistemas", "product": "QSige", "versions": [{"status": "affected", "version": "3.0.0.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The reported vulnerabilities are fixed in the latest version of the affected product.", "supportingMedia": [{"type": "text/html", "value": "The reported vulnerabilities are fixed in the latest version of the affected product.", "base64": false}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.", "supportingMedia": [{"type": "text/html", "value": "The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-03T11:06:48.726Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4099", "state": "PUBLISHED", "dateUpdated": "2024-09-06T14:11:28.247Z", "dateReserved": "2023-08-02T11:53:03.266Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2023-10-03T11:06:48.726Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qsige:qsige:3.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5BBAF4E7-336E-4D97-BECC-0C4349F37377", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application."}, {"lang": "es", "value": "La aplicaci\u00f3n QSige Monitor no cuenta con un mecanismo de control de acceso para verificar si el usuario que solicita un recurso tiene permisos suficientes para hacerlo. Como requisito previo, es necesario iniciar sesi\u00f3n en la aplicaci\u00f3n."}], "id": "CVE-2023-4099", "lastModified": "2024-11-21T08:34:23.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-03T12:15:10.843", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}