CVE-2023-6144

CRITICAL

Dev blog v1.0 - Unauthenticated Account Takeover via User Cookie

Title source: llm

Description

Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username.

References (2)

Core 2

Core References

Product

https://github.com/Armanidrisi/devblog/

View Writeup ZIP pw:eip

Exploit, Third Party Advisory

https://fluidattacks.com/advisories/almighty/

Scores

CVSS v3 9.1

EPSS 0.0045

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-639

Status published

Products (1)

armanidrisi/dev_blog 1.0

Published Nov 21, 2023

Tracked Since Feb 18, 2026