CVE-2024-6890

Published: Aug 7, 2024Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

Affected (1)

Products: Journyx: Journyx

Journyx

1 product

Journyx

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Journyx Journyx	Version 11.5.4

Related CWEs

CWE-321

Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-334

Small Space of Random Values

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

CWE-799

Improper Control of Interaction Frequency

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

References (2)

https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt

Source: bbf0bd87-ece2-41be-b873-96928ee8fab9

ExploitThird Party Advisory

http://seclists.org/fulldisclosure/2024/Aug/5

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.