CVE-2024-13185
Published: 08 January 2025
Summary
CVE-2024-13185 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vivo (inferred from references). Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-13185 is a vulnerability in the MinigameCenter module stemming from insufficient restrictions on loading URLs, which can result in information leakage. This issue is classified under CWE-306 (Missing Authentication for Critical Function) and affects vivo products, as indicated by the vendor's security advisory. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with network accessibility and no requirements for privileges or user interaction.
A remote, unauthenticated attacker can exploit this flaw over the network with low complexity. By leveraging the inadequate URL loading controls in the MinigameCenter module, the attacker can access sensitive information without impacting integrity or availability, potentially exposing user data or system details.
vivo has published a security advisory detailing the issue at https://www.vivo.com/en/support/security-advisory-detail?id=15, which security practitioners should consult for mitigation guidance, patches, or workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51407
Vulnerability details
The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on a network-accessible module directly enables remote exploitation of a public-facing application for unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Prohibits critical functions like unrestricted URL loading in the MinigameCenter module without identification and authentication, directly addressing CWE-306 missing authentication.
Enforces approved authorizations to prevent unauthenticated remote attackers from accessing sensitive information via inadequate URL loading restrictions.
Controls information flows to restrict unauthorized URL loads in the MinigameCenter module, mitigating the path to information leakage.