FKIE_CVE-2024-13061

Vulnerability from fkie_nvd - Published: 2024-12-31 12:15 - Updated: 2026-06-17 07:01
Severity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Electronic Official Document Management System from 2100 Technology has an Authentication Bypass vulnerability. Although the product enforces an IP whitelist for the API used to query user tokens, unauthenticated remote attackers can still deceive the server to obtain tokens of arbitrary users, which can then be used to log into the system.
References
twcert@cert.org.twhttps://www.chtsecurity.com/news/255984da-6630-4e25-ba9b-5ce6933935a6
twcert@cert.org.twhttps://www.chtsecurity.com/news/ade9e9af-61d0-4e3c-8aa0-e8524ee2cfbc
twcert@cert.org.twhttps://www.twcert.org.tw/en/cp-139-8340-d8b16-2.html
twcert@cert.org.twhttps://www.twcert.org.tw/tw/cp-132-8339-570fa-1.html
Impacted products
Vendor Product Version
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Official Document Management System",
          "vendor": "2100 Technology Electronic",
          "versions": [
            {
              "lessThan": "5.0.86.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "twcert@cert.org.tw"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Electronic Official Document Management System from 2100 Technology has an Authentication Bypass vulnerability. Although the product enforces an IP whitelist for the API used to query user tokens, unauthenticated remote attackers can still deceive the server to obtain tokens of arbitrary users, which can then be used to log into the system."
    },
    {
      "lang": "es",
      "value": "Electronic Official Document Management System de 2100 Technology tiene una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. Aunque el producto aplica una lista blanca de direcciones IP para la API utilizada para consultar tokens de usuarios, los atacantes remotos no autenticados a\u00fan pueden enga\u00f1ar al servidor para obtener tokens de usuarios arbitrarios, que luego pueden usarse para iniciar sesi\u00f3n en el sistema."
    }
  ],
  "id": "CVE-2024-13061",
  "lastModified": "2026-06-17T07:01:05.167",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "twcert@cert.org.tw",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2024-13061",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-12-31T15:12:08.985712Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2024-12-31T12:15:22.967",
  "references": [
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.chtsecurity.com/news/255984da-6630-4e25-ba9b-5ce6933935a6"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.chtsecurity.com/news/ade9e9af-61d0-4e3c-8aa0-e8524ee2cfbc"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.twcert.org.tw/en/cp-139-8340-d8b16-2.html"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.twcert.org.tw/tw/cp-132-8339-570fa-1.html"
    }
  ],
  "sourceIdentifier": "twcert@cert.org.tw",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "twcert@cert.org.tw",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.