CVE-2020-27747

Possible Account Takeover | Brute Force Ability

[Suggested description] An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973). If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code.

[Additional Information] A letter was sent to the vendor about the vulnerability.

[VulnerabilityType Other] CWE-307: Improper Restriction of Excessive Authentication Attempts

[Vendor of Product] Click Studios (https://www.clickstudios.com.au/)

[Affected Product Code Base] Affected version: Passwordstate 8.9 (Build 8973). There are no fixed versions

[Affected Component] Mobile login page

[Attack Type] Remote

[Impact Information Disclosure] true

[Attack Vectors] If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code.

[Discoverer] Dmitry Kuramin (Jet Infosystems, jet.su)

[Reference] https://jet.su

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
README.md		README.md
account_takeover_result.jpg		account_takeover_result.jpg
pin_by_def_gen_only_num4.jpg		pin_by_def_gen_only_num4.jpg

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2020-27747

[Additional Information] A letter was sent to the vendor about the vulnerability.

[VulnerabilityType Other] CWE-307: Improper Restriction of Excessive Authentication Attempts

[Vendor of Product] Click Studios (https://www.clickstudios.com.au/)

[Affected Product Code Base] Affected version: Passwordstate 8.9 (Build 8973). There are no fixed versions

[Affected Component] Mobile login page

[Attack Type] Remote

[Impact Information Disclosure] true

[Attack Vectors] If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code.

[Discoverer] Dmitry Kuramin (Jet Infosystems, jet.su)

About

Releases

Packages

jet-pentest/CVE-2020-27747

Folders and files

Latest commit

History

Repository files navigation

CVE-2020-27747

[Additional Information] A letter was sent to the vendor about the vulnerability.

[VulnerabilityType Other] CWE-307: Improper Restriction of Excessive Authentication Attempts

[Vendor of Product] Click Studios (https://www.clickstudios.com.au/)

[Affected Product Code Base] Affected version: Passwordstate 8.9 (Build 8973). There are no fixed versions

[Affected Component] Mobile login page

[Attack Type] Remote

[Impact Information Disclosure] true

[Attack Vectors] If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code.

[Discoverer] Dmitry Kuramin (Jet Infosystems, jet.su)

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages