CVE-2024-31842

Name of the Vulnerable Software and Affected Versions Italtel Embrace version 1.6.4

Description An issue was discovered in the web application where the access token of an authenticated user is inserted inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token is sent in GET requests, this could lead to complete account takeover.

Recommendations For Italtel Embrace version 1.6.4, consider disabling the use of access tokens in GET requests as a temporary workaround until a patch is available. Restrict access to sensitive information and session identifiers to minimize the risk of exploitation. Avoid using sensitive information in query strings for URLs to prevent potential recording in browser history, web logs, or other sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.