CVE-2022-34771
Last modified
CVE-2022-34771 is a low-severity vulnerability rated 3.5/10 on the CVSS scale. Tabit - arbitrary SMS send on Tabits behalf. The resend OTP API of tabit allows an adversary to send messages on tabits behalf to anyone registered on the system - the API receives the parameters: phone number, and CustomMessage, We can use that API to craft malicious messages to any user of the system. EPSS estimates a 0.38% chance of exploitation in the next 30 days.
Description
Tabit - arbitrary SMS send on Tabits behalf. The resend OTP API of tabit allows an adversary to send messages on tabits behalf to anyone registered on the system - the API receives the parameters: phone number, and CustomMessage, We can use that API to craft malicious messages to any user of the system. In addition, the API probably has some kind of template injection potential. When entering {{OTP}} in the custom message field it is formatted into an OTP.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Tabit | Tabit | < 3.27.0 |
References
- https://www.gov.il/en/departments/faq/cve_advisoriesThird Party Advisory
- https://www.gov.il/en/departments/faq/cve_advisoriesThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-34771?
How severe is CVE-2022-34771?
How do I fix CVE-2022-34771?
Are you affected by CVE-2022-34771?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST