CVE-2024-31845

{"id": "CVE-2024-31845", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-05-21T16:15:26.103", "references": [{"url": "https://www.gruppotim.it/it/footer/red-team.html", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This can be exploited without authentication."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Italtel Embrace 1.6.4. El producto no neutraliza o neutraliza incorrectamente la salida escrita en los registros. La aplicaci\u00f3n web escribe registros utilizando un par\u00e1metro de cadena de consulta GET. Este par\u00e1metro puede ser modificado por un atacante, de modo que cada acci\u00f3n que realice se atribuya a un usuario diferente. Esto se puede explotar sin autenticaci\u00f3n."}], "lastModified": "2024-07-03T01:55:28.633", "sourceIdentifier": "cve@mitre.org"}