CVE-2023-6913 - Vulnerability Details - OpenCVE

Description

A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks.

Published: 2023-12-19

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Imou

Imou Life app

unaffected

Version	Status	Constraints
`6.7.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:imoulife:imou_life:6.7.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Vulnerability fixed in later versions.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-59112	A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00093.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app

History

No history.

Subscriptions

Imoulife Imou Life

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-12-19T14:49:48.766Z

Updated: 2024-08-02T08:42:08.526Z

Reserved: 2023-12-18T09:51:26.413Z

Link: CVE-2023-6913

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-19T15:15:09.447

Modified: 2024-11-21T08:44:49.510

Link: CVE-2023-6913

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-384

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6913", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-12-18T09:51:26.413Z", "datePublished": "2023-12-19T14:49:48.766Z", "dateUpdated": "2024-08-02T08:42:08.526Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Imou Life app", "vendor": "Imou", "versions": [{"status": "affected", "version": "6.7.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan Adamski (johnny1337.pl)"}], "datePublic": "2023-12-18T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}], "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-12-19T15:03:31.788Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability fixed in later versions. "}], "value": "Vulnerability fixed in later versions. "}], "source": {"discovery": "UNKNOWN"}, "title": "Session Hijacking on Imou Life app", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:42:08.526Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imoulife:imou_life:6.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "A979E6CE-80D8-4A00-B14B-20BDEF1CD9A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. This vulnerability could allow an attacker to hijack user accounts due to the QR code functionality not properly filtering codes when scanning a new device and directly running WebView without prompting or displaying it to the user. This vulnerability could trigger phishing attacks."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de secuestro de sesi\u00f3n en la aplicaci\u00f3n Imou Life que afecta a la versi\u00f3n 6.7.0. Esta vulnerabilidad podr\u00eda permitir a un atacante secuestrar cuentas de usuario debido a que la funcionalidad del c\u00f3digo QR no filtra correctamente los c\u00f3digos al escanear un nuevo dispositivo y ejecutar WebView directamente sin avisar ni mostrarlo al usuario. Esta vulnerabilidad podr\u00eda desencadenar ataques de phishing."}], "id": "CVE-2023-6913", "lastModified": "2024-11-21T08:44:49.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-19T15:15:09.447", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/session-hijacking-imou-life-app"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}