CVE-2023-48392
CRITICALKaifa WebITR Attendance System - Unauthenticated Account Access via Hard-coded Cryptographic Key
Title source: llmDescription
Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information.
References (1)
Core 1
Core References
Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7622-57e5f-1.html
Scores
CVSS v3
9.8
EPSS
0.0057
EPSS Percentile
42.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-321
CWE-798
Status
published
Products (1)
kaifa/webitr_attendance_system
2.1.0.23
Published
Dec 15, 2023
Tracked Since
Feb 18, 2026