CVE-2023-3064 – This vulnerability allows anonymous users to en... (How to Fix)

Q: What is the severity of CVE-2023-3064?

CVE-2023-3064 has a CVSS score of 7.5 (HIGH). This vulnerability allows anonymous users to enumerate all user accounts managed by the Mobatime mobile application. This information disclosure could facilitate further attacks by revealing potential targets. It affects Mobatime AMXGT100 mobile application users running versions through 1.3.20.

📋 TL;DR

This vulnerability allows anonymous users to enumerate all user accounts managed by the Mobatime mobile application. This information disclosure could facilitate further attacks by revealing potential targets. It affects Mobatime AMXGT100 mobile application users running versions through 1.3.20.

💻 Affected Systems

Products:

Mobatime mobile application AMXGT100

Versions: through 1.3.20

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects mobile application only; requires application to be installed and accessible.

📦 What is this software?

Amxgt 100 by Mobatime

View all CVEs affecting Amxgt 100 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain complete user directory, enabling targeted credential attacks, social engineering, and exploitation of related vulnerabilities (CVE-2023-3065/3066) leading to account compromise or system takeover.

🟠

Likely Case

Attackers gather user information to perform targeted phishing, credential stuffing, or brute force attacks against identified accounts.

🟢

If Mitigated

User enumeration prevented, forcing attackers to guess valid usernames, significantly reducing attack effectiveness.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple API endpoint enumeration; trivial to automate. References show detailed exploitation methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates to AMXGT100 application beyond version 1.3.20.

🔧 Temporary Workarounds

Network Access Control

all

Restrict mobile application access to trusted networks only

Application Removal

all

Uninstall vulnerable application version until patched

🧯 If You Can't Patch

Monitor for unusual authentication attempts against enumerated users
Implement strong password policies and multi-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check application version in mobile device settings; if AMXGT100 version ≤1.3.20, vulnerable. Test by attempting anonymous user enumeration via application API.

Check Version:

Check within mobile application settings or device application manager

Verify Fix Applied:

Verify application version is >1.3.20 and test that anonymous user enumeration no longer works.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts for different usernames
Unusual API calls to user enumeration endpoints

Network Indicators:

Unusual traffic patterns to mobile application backend from untrusted sources

SIEM Query:

source="mobile_app_logs" AND (event="user_enumeration" OR pattern="*user/list*")

📊 Metadata

CVE ID: CVE-2023-3064

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: June 5, 2023

Last Updated: November 21, 2024

🔗 References

https://borelenzo.github.io/stuff/2023/06/02/cve-2023-3064_65_66.html Exploit,Third Party Advisory
https://borelenzo.github.io/stuff/2023/06/02/cve-2023-3064_65_66.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3064, you might also want to check these: