CVE-2024-2463 (GCVE-0-2024-2463)
Vulnerability from cvelistv5 – Published: 2024-03-21 14:50 – Updated: 2024-08-01 21:13
VLAI
Title
Weak password recovery mechanism in CDeX
Summary
Weak password recovery mechanism in CDeX application allows to retrieve password reset token.This issue affects CDeX application versions through 5.7.1.
Severity
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/03/CVE-2024-2463/ | third-party-advisory |
| https://cert.pl/posts/2024/03/CVE-2024-2463/ | third-party-advisory |
| https://cdex.cloud/ | product |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/03/CVE-2024-2463/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/03/CVE-2024-2463/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://cdex.cloud/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cdex:cdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "cdex",
"vendor": "cdex",
"versions": [
{
"lessThanOrEqual": "5.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-2463",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T21:10:33.042953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:13:30.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CDeX",
"vendor": "CDeX PSA",
"versions": [
{
"lessThanOrEqual": "5.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Walkowski, PhD"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Weak password recovery mechanism in CDeX application allows to retrieve\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003epassword\u0026nbsp;\u003c/span\u003ereset token.\u003cp\u003eThis issue affects CDeX application versions through 5.7.1.\u003c/p\u003e"
}
],
"value": "Weak password recovery mechanism in CDeX application allows to retrieve\u00a0password\u00a0reset token.This issue affects CDeX application versions through 5.7.1.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-50",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-50 Password Recovery Exploitation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T14:50:02.541Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/03/CVE-2024-2463/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/03/CVE-2024-2463/"
},
{
"tags": [
"product"
],
"url": "https://cdex.cloud/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Weak password recovery mechanism in CDeX",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-2463",
"datePublished": "2024-03-21T14:50:02.541Z",
"dateReserved": "2024-03-14T17:11:18.241Z",
"dateUpdated": "2024-08-01T21:13:30.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-2463",
"date": "2026-05-26",
"epss": "0.00212",
"percentile": "0.43518"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-2463\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2024-03-21T15:16:54.417\",\"lastModified\":\"2025-06-17T13:49:07.733\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Weak password recovery mechanism in CDeX application allows to retrieve\u00a0password\u00a0reset token.This issue affects CDeX application versions through 5.7.1.\\n\\n\"},{\"lang\":\"es\",\"value\":\"El mecanismo d\u00e9bil de recuperaci\u00f3n de contrase\u00f1a en la aplicaci\u00f3n CDeX permite recuperar el token de restablecimiento de contrase\u00f1a. Este problema afecta a las versiones de la aplicaci\u00f3n CDeX hasta la 5.7.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-640\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cdex:cdex:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.71\",\"matchCriteriaId\":\"B0727A25-ACE5-4E39-A68F-84974E7CE0BA\"}]}]}],\"references\":[{\"url\":\"https://cdex.cloud/\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Product\"]},{\"url\":\"https://cert.pl/en/posts/2024/03/CVE-2024-2463/\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.pl/posts/2024/03/CVE-2024-2463/\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cdex.cloud/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://cert.pl/en/posts/2024/03/CVE-2024-2463/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.pl/posts/2024/03/CVE-2024-2463/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://cert.pl/en/posts/2024/03/CVE-2024-2463/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://cert.pl/posts/2024/03/CVE-2024-2463/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://cdex.cloud/\", \"tags\": [\"product\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T19:11:53.617Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-2463\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-01T21:10:33.042953Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:cdex:cdex:*:*:*:*:*:*:*:*\"], \"vendor\": \"cdex\", \"product\": \"cdex\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.7.1\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-01T21:10:54.806Z\"}}], \"cna\": {\"title\": \"Weak password recovery mechanism in CDeX\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Micha\\u0142 Walkowski, PhD\"}], \"impacts\": [{\"capecId\": \"CAPEC-50\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-50 Password Recovery Exploitation\"}]}], \"affected\": [{\"vendor\": \"CDeX PSA\", \"product\": \"CDeX\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.7.1\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cert.pl/en/posts/2024/03/CVE-2024-2463/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://cert.pl/posts/2024/03/CVE-2024-2463/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://cdex.cloud/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Weak password recovery mechanism in CDeX application allows to retrieve\\u00a0password\\u00a0reset token.This issue affects CDeX application versions through 5.7.1.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Weak password recovery mechanism in CDeX application allows to retrieve\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003epassword\u0026nbsp;\u003c/span\u003ereset token.\u003cp\u003eThis issue affects CDeX application versions through 5.7.1.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-640\", \"description\": \"CWE-640 Weak Password Recovery Mechanism for Forgotten Password\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2024-03-21T14:50:02.541Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-2463\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:13:30.394Z\", \"dateReserved\": \"2024-03-14T17:11:18.241Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2024-03-21T14:50:02.541Z\", \"assignerShortName\": \"CERT-PL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…