How severe is CVE-2024-23674?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2024-23674?

This is classified as CWE-290, which is a common weakness in software security.

CVE-2024-23674 - CRITICAL Severity | CVSS 9.6

Vulnerability Description

The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for access to government, medical, and financial resources, and can also extract personal data from the card, aka the "sPACE (Spoofing Password Authenticated Connection Establishment)" issue. This occurs because of a combination of factors, such as insecure PIN entry (for basic readers) and eid:// deeplinking. The victim must be using a modified eID kernel, which may occur if the victim is tricked into installing a fake version of an official app. NOTE: the BSI position is "ensuring a secure operational environment at the client side is an obligation of the ID card owner."

Related Vulnerabilities

CVE-2022-31149

CRITICAL

CVSS:9.6(Critical)

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker f...

CWE-2902022

CVE-2024-12108

CRITICAL

CVSS:9.6(Critical)

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.

CWE-2902024

CVE-2024-32977

CRITICAL

CVSS:9.4(Critical)

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely ...

CWE-2902024

CVE-2024-54450

CRITICAL

CVSS:9.4(Critical)

An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) IP address mention...

CWE-2902024

CVE-2025-25182

CRITICAL

CVSS:9.4(Critical)

Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authenti...

CWE-2902025

CVE-2009-1048

CRITICAL

CVSS:9.8(Critical)

The web interface on the snom VoIP phones snom 300, snom 320, snom 360, snom 370, and snom 820 with firmware 6.5 before 6.5.20, 7.1 before 7.1.39, and 7.3 before 7.3.14 allows remote attackers to bypa...

CWE-2902009