CVE-2023-36483

MEDIUM 6.5

MAS (a Carrier brand) MASmobile Classic Authorization Bypass

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote attackers to retrieve sensitive data including customer data, security system status, and event history.

CWE	CWE-639
Vendor	mas (a carrier brand)
Product	masmobile classic
Published	Mar 16, 2024
Last Updated	Aug 28, 2024

Stay Ahead of the Next One

Get instant alerts for mas (a carrier brand) masmobile classic

Be the first to know when new medium vulnerabilities affecting mas (a carrier brand) masmobile classic are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

MAS (a Carrier brand) / MASmobile Classic

1 ≤ 1.16.18

MAS (a Carrier brand) / MASmobile Classic

1 ≤ 1.7.24

MAS (a Carrier brand) / MAS ASP.Net Services

1 ≤ 1.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

corporate.carrier.com: https://www.corporate.carrier.com/product-security/advisories-resources/

Credits

🔍 Joris Talma, independent .NET developer from The Netherlands, reported this vulnerability to Carrier.