Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Tabit - arbitrary SMS send on Tabits behalf. The resend OTP API of tabit allows an adversary to send messages on tabits behalf to anyone registered on the system - the API receives the parameters: phone number, and CustomMessage, We can use that API to craft malicious messages to any user of the system. In addition, the API probably has some kind of template injection potential. When entering {{OTP}} in the custom message field it is formatted into an OTP.
AnalysisAI
Tabit - arbitrary SMS send on Tabits behalf. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
Tabit - arbitrary SMS send on Tabits behalf. The resend OTP API of tabit allows an adversary to send messages on tabits behalf to anyone registered on the system - the API receives the parameters: phone number, and CustomMessage, We can use that API to craft malicious messages to any user of the system. In addition, the API probably has some kind of template injection potential. When entering {{OTP}} in the custom message field it is formatted into an OTP. Affected products include: Tabit.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Tabit - HTTP Method manipulation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no aut
Tabit - password enumeration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack com
Tabit - giftcard stealth. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication
Tabit - Excessive data exposure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenti
Tabit - sensitive information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
Tabit - Arbitrary account modification. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today