Multiple vulnerabilities in Astrotalks

Posted date 30/05/2024
Importance
4 - High
Affected Resources

Astrotalks, 03/10/2023 version.

Description

INCIBE has coordinated the publication of 3 vulnerabilities, of high severity, affecting Astrotalks, version 03/10/2023, a web platform dedicated to astrology, which have been discovered by David Utón Amaya.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-5523: 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-89 
  • CVE-2024-5524: 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CWE-200 
  • CVE-2024-5525: 8.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L | CWE-269 
Solution

The vulnerabilities have been fixed in the new versions.

Detail
  • CVE-2024-5523: SQL injection vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability could allow an authenticated local user to send a specially crafted SQL query to the 'searchString' parameter and retrieve all information stored in the database.
  • CVE-2024-5524: information exposure vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability allows unregistered users to access all internal links of the application without providing any credentials.
  • CVE-2024-5525: improper privilege management vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability allows a local user to access the application as an administrator without any provided credentials, allowing the attacker to perform administrative actions.