CVE-2024-6890
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Journyx | Journyx (jtime) | 11.5.4 | affected |
Weaknesses
- CWE-321: CWE-321 Use of Hard-coded Cryptographic Key
- CWE-334: CWE-334 Small Space of Random Values
- CWE-799: CWE-799 Improper Control of Interaction Frequency
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.