728x90
Overview
Amtelco miSecureMessages lacks authentication for access to user messages. (CWE-287)
Description
Amtelco miSecureMessages lacks authentication for access to user messages. The miSecureMessages app has been reported to lack authentication and session management. An attacker only needs to provide a contactID and valid license key in their xml request to the server to access any user's messages. |
Impact
A remote unauthenticated attacker may be able to read the messages of all users by iterating through all possible contactIDs. |
Solution
We are currently unaware of a practical solution to this problem. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Amtelco | Affected | - | 11 Apr 2014 |
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 7.8 | AV:N/AC:L/Au:N/C:C/I:N/A:N |
| Temporal | 6.3 | E:POC/RL:U/RC:UC |
| Environmental | 4.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- https://itunes.apple.com/us/app/misecuremessages/id423957478?mt=8
- https://play.google.com/store/apps/details?id=com.amtelco.secure
- https://misecuremessages.com/
- https://cwe.mitre.org/data/definitions/287.html
Credit
Thanks to Jared Bird for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2014-0357
- Date Public: 11 4월 2014
- Date First Published: 11 4월 2014
- Date Last Updated: 11 4월 2014
- Document Revision: 7
728x90
'취약점 정보1' 카테고리의 다른 글
| 2014-04-13 취약점 정리 (0) | 2014.04.13 |
|---|---|
| PivotX 2.3.8 contains multiple vulnerabilities (0) | 2014.04.13 |
| ZyXEL Wireless N300 NetUSB Router NBG-419N devices contain multiple vulnerabilities (0) | 2014.04.13 |
| Fortinet FortiADC contains a cross-site scripting vulnerability (0) | 2014.04.13 |
| Interested in a Heartbleed Challenge? (0) | 2014.04.13 |