CVE-2023-44039

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-44039
In VeridiumID before 3.5.0, the WebAuthn API allows an internal unauthenticated attacker (who can pass enrollment verifications and is allowed to enroll a FIDO key) to register their FIDO authenticator to a victim’s account and consequently take over the account.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement Vendor Advisory
https://veridiumid.com/veridium-id-authentication-platform/ Product
https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement Vendor Advisory
https://veridiumid.com/veridium-id-authentication-platform/ Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:veridiumid:veridiumad:*:*:*:*:*:*:*:*
History

16 Apr 2025, 15:20

Type Values Removed Values Added
References () https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement - () https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement - Vendor Advisory
References () https://veridiumid.com/veridium-id-authentication-platform/ - () https://veridiumid.com/veridium-id-authentication-platform/ - Product
First Time Veridiumid
Veridiumid veridiumad
CPE cpe:2.3:a:veridiumid:veridiumad:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo

21 Nov 2024, 08:25

Type Values Removed Values Added
References () https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement - () https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement -
References () https://veridiumid.com/veridium-id-authentication-platform/ - () https://veridiumid.com/veridium-id-authentication-platform/ -

21 Aug 2024, 21:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
CWE CWE-287
Summary
  • (es) En VeridiumID anterior a 3.5.0, la API WebAuthn permite que un atacante interno no autenticado (que puede pasar verificaciones de inscripción y puede registrar una clave FIDO) registre su autenticador FIDO en la cuenta de una víctima y, en consecuencia, se haga cargo de la cuenta.

03 Apr 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-03 16:15

Updated : 2025-04-16 15:20

NVD link : CVE-2023-44039

Mitre link : CVE-2023-44039

CVE.ORG link : CVE-2023-44039

JSON object : View

Products Affected

veridiumid

  • veridiumad
CWE
NVD-CWE-noinfo CWE-287

Improper Authentication