CVE-2023-6451

Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.themissinglink.com.au/security-advisories/cve-2023-6451	Third Party Advisory
https://www.themissinglink.com.au/security-advisories/cve-2023-6451	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:alayacare:procura:*:*:*:*:*:*:*:*

History

09 Jan 2025, 14:56

Type	Values Removed	Values Added
CWE		CWE-287
References	~~() https://www.themissinglink.com.au/security-advisories/cve-2023-6451 -~~	() https://www.themissinglink.com.au/security-advisories/cve-2023-6451 - Third Party Advisory
CPE		cpe:2.3:a:alayacare:procura::::::::
First Time		Alayacare procura Alayacare

21 Nov 2024, 08:43

Type	Values Removed	Values Added
References	~~() https://www.themissinglink.com.au/security-advisories/cve-2023-6451 -~~	() https://www.themissinglink.com.au/security-advisories/cve-2023-6451 -

16 Feb 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-16 04:15

Updated : 2025-01-09 14:56

NVD link : CVE-2023-6451

Mitre link : CVE-2023-6451

CVE.ORG link : CVE-2023-6451

JSON object : View

Products Affected

alayacare

procura

CWE

CWE-1394

Use of Default Cryptographic Key

CWE-287

Improper Authentication

{"id": "CVE-2023-6451", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "vdp@themissinglink.com.au", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-02-16T04:15:08.090", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-6451", "tags": ["Third Party Advisory"], "source": "vdp@themissinglink.com.au"}, {"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-6451", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "vdp@themissinglink.com.au", "description": [{"lang": "en", "value": "CWE-1394"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms.\n"}, {"lang": "es", "value": "La clave de m\u00e1quina criptogr\u00e1fica conocida p\u00fablicamente en el Portal Procura de AlayaCare anterior a 9.0.1.2 permite a los atacantes falsificar sus propias cookies de autenticaci\u00f3n y eludir los mecanismos de autenticaci\u00f3n de la aplicaci\u00f3n."}], "lastModified": "2025-01-09T14:56:51.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alayacare:procura:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADB3292B-3B61-4060-8A26-5E4948D355BA", "versionEndExcluding": "9.0.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "vdp@themissinglink.com.au"}