CVE-2024-26263 - Vulnerability Details - OpenCVE

EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Ebm Technologies	Risweb
Ebmtech	Risweb

Configuration 1 [-]

cpe:2.3:a:ebmtech:risweb:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

Update to 3.x or later version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-7676-9418d-1.html

History

Thu, 23 Jan 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ebmtech Ebmtech risweb
CPEs		cpe:2.3:a:ebmtech:risweb::::::::
Vendors & Products		Ebmtech Ebmtech risweb

Mon, 14 Oct 2024 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Mon, 14 Oct 2024 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ebm Technologies Ebm Technologies risweb
CPEs		cpe:2.3:a:ebm_technologies:risweb::::::::
Vendors & Products		Ebm Technologies Ebm Technologies risweb
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 14 Oct 2024 06:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-02-15T02:56:03.757Z

Updated: 2024-10-14T06:13:18.118Z

Reserved: 2024-02-15T01:33:48.680Z

Link: CVE-2024-26263

Vulnrichment

Updated: 2024-08-02T00:07:19.335Z

NVD

Status : Analyzed

Published: 2024-02-15T03:15:35.530

Modified: 2025-01-23T17:39:42.940

Link: CVE-2024-26263

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26263", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-02-15T01:33:48.680Z", "datePublished": "2024-02-15T02:56:03.757Z", "dateUpdated": "2024-10-14T06:13:18.118Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "RISWEB", "vendor": "EBM Technologies", "versions": [{"status": "affected", "version": "1.*"}, {"status": "affected", "version": "2.*"}]}], "datePublic": "2024-02-15T02:55:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login."}], "value": "EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-10-14T06:13:18.118Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7676-9418d-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 3.x or later version."}], "value": "Update to 3.x or later version."}], "source": {"advisory": "TVN-202402005", "discovery": "EXTERNAL"}, "title": "EBM Technologies RISWEB - Improper Access Control", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.335Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-7676-9418d-1.html"}]}, {"affected": [{"vendor": "ebm_technologies", "product": "risweb", "cpes": ["cpe:2.3:a:ebm_technologies:risweb:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0", "status": "affected", "lessThan": "3.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-15T19:43:13.709483Z", "id": "CVE-2024-26263", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T18:10:53.904Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7676-9418d-1.html", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.335Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26263", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-15T19:43:13.709483Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ebm_technologies:risweb:*:*:*:*:*:*:*:*"], "vendor": "ebm_technologies", "product": "risweb", "versions": [{"status": "affected", "version": "1.0", "lessThan": "3.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T18:10:42.582Z"}}], "cna": {"title": "EBM Technologies RISWEB - Improper Access Control", "source": {"advisory": "TVN-202402005", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "EBM Technologies", "product": "RISWEB", "versions": [{"status": "affected", "version": "1.*"}, {"status": "affected", "version": "2.*"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to 3.x or later version.", "supportingMedia": [{"type": "text/html", "value": "Update to 3.x or later version.", "base64": false}]}], "datePublic": "2024-02-15T02:55:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7676-9418d-1.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login.", "supportingMedia": [{"type": "text/html", "value": "EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-10-14T06:13:18.118Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26263", "state": "PUBLISHED", "dateUpdated": "2024-10-14T06:13:18.118Z", "dateReserved": "2024-02-15T01:33:48.680Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-02-15T02:56:03.757Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ebmtech:risweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "29A8758C-3A7A-42EC-B7C1-5F6B5EA5D3C8", "versionEndExcluding": "3.0", "versionStartIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login."}, {"lang": "es", "value": "La ruta URL espec\u00edfica de EBM Technologies RISWEB no est\u00e1 controlada adecuadamente mediante permiso, lo que permite a los atacantes navegar por p\u00e1ginas espec\u00edficas y consultar datos confidenciales sin iniciar sesi\u00f3n."}], "id": "CVE-2024-26263", "lastModified": "2025-01-23T17:39:42.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-15T03:15:35.530", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7676-9418d-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7676-9418d-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}