CVE-2023-36483

Summary

Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android  version 1.16.18 and earlier and

MASmobile Classic iOS version 1.7.24 and earlier

which allows remote attackers to retrieve sensitive data  including customer data, security system status, and event history.

Affected Software

VendorProductVersion RangeStatus
MAS (a Carrier brand)MASmobile Classic1 <= 1.16.18affected
MAS (a Carrier brand)MASmobile Classic1 <= 1.7.24affected
MAS (a Carrier brand)MAS ASP.Net Services1 <= 1.9affected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References