CVE-2023-6144 CRITICAL

CVE-2023-6144: Dev Blog v1.0 - ATO

Vendor Dev Blog
Product Dev Blog
Weakness CWE-639 · IDOR
Published November 20, 2023
Last update August 2, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username.

Key dates

02Disclosure timeline

November 20, 2023 CVE published
August 2, 2024 Record updated