CVE-2024-28144 | THREATINT

Description

An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user.

PUBLISHED Reserved 2024-03-05 | Published 2024-12-12 | Updated 2025-11-03 | Assigner SEC-VLab

Problem types

CWE-384 Session Fixation

Product status

Default status

affected

Any version

affected

Credits

Daniel Hirschberger (SEC Consult Vulnerability Lab) finder

Tobias Niemann (SEC Consult Vulnerability Lab) finder

References

seclists.org/fulldisclosure/2024/Dec/2

r.sec-consult.com/imageaccess third-party-advisory

www.imageaccess.de/?page=SupportPortal&lang=en patch

cve.org (CVE-2024-28144)

nvd.nist.gov (CVE-2024-28144)

Download JSON