CVE-2024-12056: Client Secret not checked with OAuth Password grant type

2.3 CVSS

Description

The Client secret is not checked when using the OAuth Password grant type.

By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.
Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.

Classification

CVE ID: CVE-2024-12056

CVSS Base Severity: LOW

CVSS Base Score: 2.3

Affected Products

Vendor: arcinfo

Product: PcVue

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.pcvue.com/security/security/#SB2024-4

Timeline

2024-12-05 00:32:15 UTC
CVE

Client Secret not checked with OAuth Password grant type