3Scale Admin Portal Cached Personal Tokens Exposed Post-Logout
CVE-2023-4910 Published on November 6, 2023
3scale-admin-portal: logged out users tokens can be accessed
A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache.
Vulnerability Analysis
CVE-2023-4910 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2023-4910. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Products Associated with CVE-2023-4910
stack.watch emails you whenever new vulnerabilities are published in Red Hat 3scale Api Management or Red Hat 3scale Amp. Just hit a watch button to start following.
Affected Versions
Red Hat 3scale API Management Platform 2:Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.