CVE-2022-24689

Name of the Vulnerable Software and Affected Versions DSK DSKNet versions 2.16.136.0 through 2.17.136.5

Description The issue concerns a mishandling of access control, allowing a remote attacker to access account information pages, including personal data, without authentication. The accessible information includes badge numbers that serve as user login names, which are protected by a 4-digit PIN code. This PIN code can potentially be guessed through brute force attempts, with a maximum of 10,000 attempts.

Recommendations For versions 2.16.136.0 through 2.17.136.5, consider restricting access to account information pages until a proper fix for the access control issue is implemented. As a temporary workaround, enhancing the PIN code security, such as increasing its length or implementing a more secure authentication method, could help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.