CVE-2023-48392

Kaifa Technology WebITR - Hard-coded Cryptographic Key

CVSS 9.8 CRITICALEPSS 0.6%CWE-321

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

15 Dec 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Kaifa Technology · WebITR

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.twcert.org.tw/tw/cp-132-7622-57e5f-1.html