CVE-2024-12604

Published Mar 10, 2025

Last updated a month ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-12604 involves two main vulnerabilities in Tapandsign Technologies' Tap&Sign App, versions prior to 1.025. The application stores sensitive information unencrypted within an environment variable, making it potentially accessible to unauthorized individuals. Additionally, the password recovery mechanism is weak, allowing for exploitation and misuse of related functionalities. Disclosed on December 13, 2024, by Mucahit Ic, this vulnerability allows remote exploitation without authentication. The advisory related to this vulnerability can be found at docs.tapandsign.com. Updating the Tap&Sign App to version 1.025 or later mitigates these vulnerabilities.

Description: Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.
Source: iletisim@usom.gov.tr
NVD status: Analyzed
CNA Tags: exclusively-hosted-service

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 2.5
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

iletisim@usom.gov.tr: CWE-526
nvd@nist.gov: CWE-312

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:tapandsign:tap\\&sign:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7E38B9DF-2BC7-40C1-A07F-77CEE465DF41",
            "versionEndExcluding": "1.025"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]