Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by alayacare
CVE-2023-6451 (GCVE-0-2023-6451)
Vulnerability from cvelistv5 – Published: 2024-02-16 04:06 – Updated: 2024-08-02 08:28
VLAI
Title
Publicly Known Cryptographic Machine Key In Procura Portal Application
Summary
Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| AlayaCare | Procura Portal |
Affected:
0 , < 9.0.1.2
(Major)
|
|
| alayacare | procura_portal |
Affected:
0 , < 9.0.1.2
(custom)
cpe:2.3:a:alayacare:procura_portal:*:*:*:*:*:*:*:* |
Date Public
2024-02-16 08:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:alayacare:procura_portal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "procura_portal",
"vendor": "alayacare",
"versions": [
{
"lessThan": "9.0.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-23T16:59:47.355288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T15:05:18.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-6451"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Procura Portal",
"vendor": "AlayaCare",
"versions": [
{
"lessThan": "9.0.1.2",
"status": "affected",
"version": "0",
"versionType": "Major"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jake Cleland"
}
],
"datePublic": "2024-02-16T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Publicly known cryptographic machine key in AlayaCare\u0027s Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application\u0027s authentication mechanisms.\u003cbr\u003e"
}
],
"value": "Publicly known cryptographic machine key in AlayaCare\u0027s Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application\u0027s authentication mechanisms.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1394",
"description": "CWE-1394",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-16T04:08:11.683Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-6451"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Generate new machine keys in the application\u0027s web.config file immediately.\u003cbr\u003e"
}
],
"value": "Generate new machine keys in the application\u0027s web.config file immediately.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Publicly Known Cryptographic Machine Key In Procura Portal Application",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2023-6451",
"datePublished": "2024-02-16T04:06:17.797Z",
"dateReserved": "2023-11-30T22:06:55.677Z",
"dateUpdated": "2024-08-02T08:28:21.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}