CVE-2023-6913 - OpenCVE

A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Imoulife	Imou Life

Configuration 1 [-]

cpe:2.3:a:imoulife:imou_life:6.7.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-12-19T14:49:48.766Z

Updated: 2024-08-02T08:42:08.526Z

Reserved: 2023-12-18T09:51:26.413Z

Link: CVE-2023-6913

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-19T15:15:09.447

Modified: 2023-12-28T19:03:17.600

Link: CVE-2023-6913

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6913", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-12-18T09:51:26.413Z", "datePublished": "2023-12-19T14:49:48.766Z", "dateUpdated": "2024-08-02T08:42:08.526Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Imou Life app", "vendor": "Imou", "versions": [{"status": "affected", "version": "6.7.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan Adamski (johnny1337.pl)"}], "datePublic": "2023-12-18T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}], "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-12-19T15:03:31.788Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability fixed in later versions. "}], "value": "Vulnerability fixed in later versions. "}], "source": {"discovery": "UNKNOWN"}, "title": "Session Hijacking on Imou Life app", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:42:08.526Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imoulife:imou_life:6.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "A979E6CE-80D8-4A00-B14B-20BDEF1CD9A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de secuestro de sesi\u00f3n en la aplicaci\u00f3n Imou Life que afecta a la versi\u00f3n 6.7.0. Esta vulnerabilidad podr\u00eda permitir a un atacante secuestrar cuentas de usuario debido a que la funcionalidad del c\u00f3digo QR no filtra correctamente los c\u00f3digos al escanear un nuevo dispositivo y ejecutar WebView directamente sin avisar ni mostrarlo al usuario. Esta vulnerabilidad podr\u00eda desencadenar ataques de phishing."}], "id": "CVE-2023-6913", "lastModified": "2023-12-28T19:03:17.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-12-19T15:15:09.447", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}