Dev Blog v1.0 - ATO
9,1
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Dev Blog v1.0 - Account Takeover
Code name
State
Public
Release date
10 de abr. de 2023
Affected product
Dev Blog
Affected version(s)
v1.0
Vulnerability name
Account Takeover (ATO)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS v3.1 base score
9.1
Exploit available
Yes
CVE ID(s)
Description
Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username.
Vulnerability
An account takeover has been identified in Dev blog, which allows an attacker to hijack the session of arbitrary users as long as he knows the respective username of the victim.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-6144 to refer to this issue from now on. Disclosure policy
System Information
Version: Dev Blog v1.0
Operating System: MacOS
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/Armanidrisi/devblog/
Timeline
Vulnerability discovered
14 de nov. de 2023
Vendor contacted
14 de nov. de 2023
Vendor confirmed
14 de nov. de 2023
Public disclosure
15 de nov. de 2023
