Products
IBM Aspera Orchestrator
- 4.0.1
Source
psirt@us.ibm.com
Tags
CVE-2023-26288 details
Published : July 30, 2024, 5:15 p.m.
Last Modified : July 30, 2024, 5:15 p.m.
Last Modified : July 30, 2024, 5:15 p.m.
Description
IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.
CVSS Score
| 1 | 2 | 3 | 4 | 5.5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-613 | Insufficient Session Expiration | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
Base Score
5.5
Exploitability Score
2.1
Impact Score
3.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
References
| URL | Source |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/248477 | psirt@us.ibm.com |
| https://www.ibm.com/support/pages/node/7161538 | psirt@us.ibm.com |
This website uses the NVD API, but is not approved or certified by it.