{"vuid":"VU#251628","idnumber":"251628","name":"AMTELCO miSecureMessages Server insecurely authenticates clients","keywords":["amtelco","misecuremessages","authentication","bypass","cwe-287"],"overview":"AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages (CWE-287).","clean_desc":"AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages. miSecureMessages authenticates client app XML requests for messaging data using the contact identifier value and a valid license key. The contact identifier is trivial to guess and a license key will be present on a licensed client app. AMTELCO has provided a vendor statement about this vulnerability.","impact":"A remote attacker may be able to read users' messages by iterating through contact identifier values.","resolution":"AMTELCO has addressed this vulnerability in miSecureMessages Server Release 6.3 which is available to all customers (login required).","workarounds":"","sysaffected":"","thanks":"Thanks to Jared Bird for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["https://itunes.apple.com/us/app/misecuremessages/id423957478?mt=8","https://play.google.com/store/apps/details?id=com.amtelco.secure","https://misecuremessages.com/","https://cwe.mitre.org/data/definitions/287.html","https://service.amtelco.com"],"cveids":["CVE-2014-0357"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-03-03T10:47:18Z","publicdate":"2014-04-11T00:00:00Z","datefirstpublished":"2014-04-11T22:10:13Z","dateupdated":"2014-04-18T22:22:59Z","revision":41,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.1","cvss_basevector":"AV:N/AC:M/Au:N/C:C/I:N/A:N","cvss_temporalscore":"5.6","cvss_environmentalscore":"1.39453609176","cvss_environmentalvector":"CDP:ND/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}