HIGH🇵🇱 Wersja polska

CVE-2024-51560

CVSS 7.1v4.0pub. 2024-11-04upd. 2024-11-08

This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message containing sensitive information on the targeted system.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • 63moons Aero

    APP
    63Moons
    < 120820241550
  • 63moons Wave 2.0

    APP
    63Moons
    < 1.1.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-51558CRITICAL9.3PL ✓ten sam produkt

Brak ograniczeń liczby prób logowania w Wave 2.0 (brute force)

CVE-2024-51561CRITICAL9.3PL ✓ten sam produkt

Obejście weryfikacji OTP w produktach 63Moons Aero i Wave 2.0

CVE-2024-51556HIGH7.1ten sam produkt

This vulnerability exists in the Wave 2.0 due to insufficient encryption of sensitive data received at the API...

CVE-2024-51557HIGH7.1ten sam produkt

This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An ...

CVE-2024-51559HIGH7.1ten sam produkt

This vulnerability exists in the Wave 2.0 due to improper authorization checks on certain API endpoints. An au...