{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-8888","assignerOrgId":"0cbda920-cd7f-484a-8e76-bf7f4b7f4516","state":"PUBLISHED","assignerShortName":"INCIBE","dateReserved":"2024-09-16T10:20:29.982Z","datePublished":"2024-09-18T11:54:47.337Z","dateUpdated":"2024-09-18T13:14:00.252Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"CIRCUTOR Q-SMT","vendor":"CIRCUTOR","versions":[{"status":"affected","version":"1.0.4","versionType":"firmware"}]}],"credits":[{"lang":"en","type":"finder","value":"Aarón Flecha"},{"lang":"en","type":"finder","value":"Gabriel Vía Echezarreta"}],"datePublic":"2024-09-16T10:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."}],"value":"An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-613","description":"CWE-613 Insufficient Session Expiration","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"0cbda920-cd7f-484a-8e76-bf7f4b7f4516","shortName":"INCIBE","dateUpdated":"2024-09-18T11:54:47.337Z"},"references":[{"url":"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."}],"value":"CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated."}],"source":{"discovery":"EXTERNAL"},"title":"Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"circutor","product":"circutor_q_smt","cpes":["cpe:2.3:a:circutor:circutor_q_smt:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"10.4","status":"affected"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-09-18T13:10:09.717495Z","id":"CVE-2024-8888","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-18T13:14:00.252Z"}}]}}