CVE-2024-8888— Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-8888
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insufficient Session Expiration vulnerability on CIRCUTOR Q-SMT
Source: NVD (National Vulnerability Database)
Vulnerability Description
An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
CIRCUTOR Q-SMT 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CIRCUTOR Q-SMT是CIRCUTOR公司的一个工业硬件设备。 CIRCUTOR Q-SMT 1.0.4版本存在代码问题漏洞,该漏洞源于使用的令牌没有过期日期,导致攻击者可以通过网络捕获、本地存储的网页信息等不同方法窃取令牌,并无限制地访问网页应用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| CIRCUTOR | CIRCUTOR Q-SMT | 1.0.4 | - |
II. Public POCs for CVE-2024-8888
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-8888
请登录查看更多情报信息。
Same Patch Batch · CIRCUTOR · 2024-09-18 · 6 CVEs total
| CVE-2024-8887 | 10.0 CRITICAL | Authentication bypass vulnerability on CIRCUTOR Q-SMT |
| CVE-2024-8889 | 9.3 CRITICAL | Improper Input Validation vulnerability on CIRCUTOR TCP2RS+ |
| CVE-2024-8890 | 8.0 HIGH | Insertion of Sensitive Information Into Sent Data vulnerability on CIRCUTOR Q-SMT |
| CVE-2024-8891 | 5.3 MEDIUM | Exposure of Private Personal Information to an Unauthorized Actor vulnerability on CIRCUTO |
| CVE-2024-8892 | 5.3 MEDIUM | Uncontrolled Resource Consumption vulnerability on CIRCUTOR TCP2RS+ |
IV. Related Vulnerabilities
Same weakness: CWE-613
- CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41519
Weblate's API Token Not Invalidated on Password Change - CVE-2026-41891
CI4MS: Deactivated User Session Bypass (active=0) - CVE-2026-40934
jupyter-server authentication cookies remain valid after pas - CVE-2026-42421
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shar
V. Comments for CVE-2024-8888
No comments yet