CVE-2024-1623

Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. This vulnerability could allow a local attacker to access the administration panel without requiring login credentials. This vulnerability is possible because the Login.asp and logout.asp files do not handle session details correctly.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Potential Mitigations

References

• https://www.incibe.es/en/incibe-cert/notices/aviso/insufficient-session-timeout-vulnerability-sagemcom-router
• https://www.incibe.es/en/incibe-cert/notices/aviso/insufficient-session-timeout-vulnerability-sagemcom-router