Published: 2019-11-05 | Updated: 2019-11-05
Severity
Medium
Patch available
YES
Number of vulnerabilities
4
CVE ID
CVE-2019-16906CVE-2019-16909CVE-2019-16908CVE-2019-16907
CWE ID
CWE-287
Exploitation vector
Network
Public exploit
Public exploit code for vulnerability #1 is available.Public exploit code for vulnerability #2 is available.Public exploit code for vulnerability #3 is available.Public exploit code for vulnerability #4 is available.
Vulnerable software
In-App & Desktop Notifications Subscribe
Vendor
Infosysta
Security Advisory
1) Improper Authentication
Severity: Medium
CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C] [PCI]
CVE-ID: CVE-2019-16906
CWE-ID: CWE-287 - Improper Authentication
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in the "/plugins/servlet/nfj/PushNotification?username=" URL. A remote attacker can modify the username, bypass authentication process and gain unauthorized read access to a different user's notifications.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
In-App & Desktop Notifications: 1.6.13_J8
CPE
External links
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-041.txt
Q & A
Can this vulnerability ..
Support the originator by clicking the read the rest link below.