PT-2023-13466 · Unknown · Shop Beat Media Player
Published
2023-05-30
·
Updated
2025-01-13
·
CVE-2022-36249
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Shop Beat Media Player versions 2.5.95 through 3.2.57
Description
The issue allows bypassing 2FA via APIs, specifically for Controlpanel Lite. After logging in, it is possible to use the
bearer token or jsession ID to access APIs without entering the 2FA code, thus bypassing 2FA at the API level.Recommendations
For versions 2.5.95 through 3.2.57, as a temporary workaround, consider restricting access to APIs that use
bearer token or jsession ID until a patch is available. Avoid using the bearer token or jsession ID to access APIs without entering the 2FA code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Missing Authentication
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Shop Beat Media Player