CVE-2024-47654

This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:shilpisoft:client_dashboard:*:*:*:*:*:*:*:*

History

16 Oct 2024, 15:17

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
Summary		(es) Esta vulnerabilidad existe en Shilpi Client Dashboard debido a la falta de limitación de velocidad y protección Captcha para solicitudes OTP en ciertos endpoints de API. Un atacante remoto no autenticado podría aprovechar esta vulnerabilidad enviando múltiples solicitudes OTP a través de endpoints de API vulnerables, lo que podría provocar el bombardeo de OTP en el sistema objetivo.
CPE		cpe:2.3:a:shilpisoft:client_dashboard::::::::
References	~~() https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313 -~~	() https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313 - Third Party Advisory
First Time		Shilpisoft Shilpisoft client Dashboard
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

04 Oct 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-04 13:15

Updated : 2024-10-16 15:17

NVD link : CVE-2024-47654

Mitre link : CVE-2024-47654

CVE.ORG link : CVE-2024-47654

JSON object : View

Products Affected

shilpisoft

client_dashboard

CWE

NVD-CWE-Other CWE-799

Improper Control of Interaction Frequency

{"id": "CVE-2024-47654", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 7.1, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-04T13:15:11.680", "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313", "tags": ["Third Party Advisory"], "source": "vdisclose@cert-in.org.in"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "vdisclose@cert-in.org.in", "description": [{"lang": "en", "value": "CWE-799"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system."}, {"lang": "es", "value": "Esta vulnerabilidad existe en Shilpi Client Dashboard debido a la falta de limitaci\u00f3n de velocidad y protecci\u00f3n Captcha para solicitudes OTP en ciertos endpoints de API. Un atacante remoto no autenticado podr\u00eda aprovechar esta vulnerabilidad enviando m\u00faltiples solicitudes OTP a trav\u00e9s de endpoints de API vulnerables, lo que podr\u00eda provocar el bombardeo de OTP en el sistema objetivo."}], "lastModified": "2024-10-16T15:17:33.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shilpisoft:client_dashboard:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC172203-D79B-43A2-A195-9C370BDEA79F", "versionEndExcluding": "9.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "vdisclose@cert-in.org.in"}