CVE-2024-0580 - OpenCVE

Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Idmsistemas	Sinergia

Configuration 1 [-]

cpe:2.3:a:idmsistemas:sinergia:2.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-01-18T08:47:16.711Z

Updated: 2024-08-01T18:11:35.275Z

Reserved: 2024-01-16T08:06:10.223Z

Link: CVE-2024-0580

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-18T09:15:07.960

Modified: 2024-01-26T18:51:15.993

Link: CVE-2024-0580

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0580", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-01-16T08:06:10.223Z", "datePublished": "2024-01-18T08:47:16.711Z", "dateUpdated": "2024-08-01T18:11:35.275Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Sinergia, Sinergia 2.0, and Sinergia Corporativo", "vendor": "IDMSistemas", "versions": [{"status": "affected", "version": "2.0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Oscar Atienza"}], "datePublic": "2024-01-16T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc."}], "value": "Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-01-18T08:47:16.711Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the 'locator' module of the affected product. A patch was applied to this module on June 23, 2023. Please refer to the link (<a target=\"_blank\" rel=\"nofollow\" href=\"https://web/qsige.localizador/about\">https://web/qsige.localizador/about</a>) for details. If you are using an older version, you can contact IDM to upgrade your system."}], "value": "Update the 'locator' module of the affected product. A patch was applied to this module on June 23, 2023. Please refer to the link ( https://web/qsige.localizador/about https://web/qsige.localizador/about ) for details. If you are using an older version, you can contact IDM to upgrade your system."}], "source": {"discovery": "UNKNOWN"}, "title": "Omission of key-controlled authorization in Qsige", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:11:35.275Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:idmsistemas:sinergia:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "302C379E-019F-4A7B-83F5-3F52CE5C4D05", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc."}, {"lang": "es", "value": "Omisi\u00f3n de autorizaci\u00f3n de clave controlada por el usuario en la plataforma IDMSistemas, afectando el producto QSige. Esta vulnerabilidad permite a un atacante extraer informaci\u00f3n confidencial de la API realizando una solicitud al par\u00e1metro '/qsige.locator/quotePrevious/centers/X', donde X admite los valores 1,2,3, etc."}], "id": "CVE-2024-0580", "lastModified": "2024-01-26T18:51:15.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-01-18T09:15:07.960", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/omission-key-controlled-authorization-qsige"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}