{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8888", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-09-16T10:20:29.982Z", "datePublished": "2024-09-18T11:54:47.337Z", "dateUpdated": "2024-09-18T13:14:00.252Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CIRCUTOR Q-SMT", "vendor": "CIRCUTOR", "versions": [{"status": "affected", "version": "1.0.4", "versionType": "firmware"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Aar\u00f3n Flecha"}, {"lang": "en", "type": "finder", "value": "Gabriel V\u00eda Echezarreta"}], "datePublic": "2024-09-16T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."}], "value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-09-18T11:54:47.337Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."}], "value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."}], "source": {"discovery": "EXTERNAL"}, "title": "Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "circutor", "product": "circutor_q_smt", "cpes": ["cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "10.4", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T13:10:09.717495Z", "id": "CVE-2024-8888", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T13:14:00.252Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-18T13:10:09.717495Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"], "vendor": "circutor", "product": "circutor_q_smt", "versions": [{"status": "affected", "version": "10.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T13:13:52.956Z"}}], "cna": {"title": "Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Aar\u00f3n Flecha"}, {"lang": "en", "type": "finder", "value": "Gabriel V\u00eda Echezarreta"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CIRCUTOR", "product": "CIRCUTOR Q-SMT", "versions": [{"status": "affected", "version": "1.0.4", "versionType": "firmware"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated.", "supportingMedia": [{"type": "text/html", "value": "CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated.", "base64": false}]}], "datePublic": "2024-09-16T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.", "supportingMedia": [{"type": "text/html", "value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-09-18T11:54:47.337Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8888", "state": "PUBLISHED", "dateUpdated": "2024-09-18T13:14:00.252Z", "dateReserved": "2024-09-16T10:20:29.982Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-09-18T11:54:47.337Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:circutor:q-smt_firmware:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "292A461E-4540-40B6-9366-E78BA7EB5EB9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:circutor:q-smt:-:*:*:*:*:*:*:*", "matchCriteriaId": "9DA81978-4905-41F2-869B-430A9AEC2EEC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."}, {"lang": "es", "value": "Un atacante con acceso a la red donde se encuentra CIRCUTOR Q-SMT en su versi\u00f3n de firmware 1.0.4, podr\u00eda robar los tokens utilizados en la web, ya que estos no tienen fecha de caducidad para acceder a la aplicaci\u00f3n web sin restricciones. El robo de tokens puede tener su origen en diferentes m\u00e9todos como capturas de red, informaci\u00f3n web almacenada localmente, etc."}], "id": "CVE-2024-8888", "lastModified": "2024-10-01T19:30:35.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-09-18T12:15:03.520", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}