CVE-2019-16133

Published: Sep 9, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/.

Affected (1)

Products: Weaver: Eteams Oa

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Weaver Eteams Oa	Version 4.0.34

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

http://www.iwantacve.cn/index.php/archives/271/

Source: cve@mitre.org

ExploitThird Party Advisory

http://www.iwantacve.cn/index.php/archives/271/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.