CVE-2023-6451
Publicly Known Cryptographic Machine Key In Procura Portal Application
In short
The Procura Portal application uses a public cryptographic key that attackers can access, allowing them to create fake login cookies and gain unauthorized access to user accounts without needing real credentials.
Technical detail
The application employs a hardcoded or publicly disclosed machine key for cryptographic operations (CWE-1394). An unauthenticated attacker can leverage this known key to forge valid authentication tokens, bypassing authentication controls and gaining unauthorized access to protected resources. The vulnerability affects versions prior to 9.0.1.2.
Summary generated and translated by AI from the official description.
Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products
AlayaCare · Procura PortalWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →