CVE-2023-36483

MAS (a Carrier brand) MASmobile Classic Authorization Bypass

Description

Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android  version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote attackers to retrieve sensitive data  including customer data, security system status, and event history.

Remediation

Solution:

  • 1. Uninstall MASmobile Classic Services - These services are installed and configured manually in IIS within a virtual directory. To uninstall, unpublish the services in IIS and remove the service files. All versions (v1.7, 1.8, and 1.9) were discontinued. 2. Remove the MASmobile Classic app from Android and iOS devices. All versions (v1.x.x) were discontinued and no longer available in the app stores (Play and AppStore). 3. Contact MAS to arrange the installation of MASterMind EX Services (v6.46 or later). These services do not run under IIS and must be configured in coordination with the customer. 4. Install MASmobile app from Play or AppStore (v2.x.x). This is not an upgrade to MASmobile Classic; it is a different app.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Affected: MAS (a Carrier brand) MASmobile Classic
Affected: MAS (a Carrier brand) MASmobile Classic
Affected: MAS (a Carrier brand) MAS ASP.Net Services
Published at:
Updated at:

References

Link Tags
https://www.corporate.carrier.com/product-security/advisories-resources/

Frequently Asked Questions

What is the severity of CVE-2023-36483?
CVE-2023-36483 has been scored as a medium severity vulnerability.
How to fix CVE-2023-36483?
To fix CVE-2023-36483: 1. Uninstall MASmobile Classic Services - These services are installed and configured manually in IIS within a virtual directory. To uninstall, unpublish the services in IIS and remove the service files. All versions (v1.7, 1.8, and 1.9) were discontinued. 2. Remove the MASmobile Classic app from Android and iOS devices. All versions (v1.x.x) were discontinued and no longer available in the app stores (Play and AppStore). 3. Contact MAS to arrange the installation of MASterMind EX Services (v6.46 or later). These services do not run under IIS and must be configured in coordination with the customer. 4. Install MASmobile app from Play or AppStore (v2.x.x). This is not an upgrade to MASmobile Classic; it is a different app.
Is CVE-2023-36483 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-36483 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-36483?
CVE-2023-36483 affects MAS (a Carrier brand) MASmobile Classic, MAS (a Carrier brand) MASmobile Classic, MAS (a Carrier brand) MAS ASP.Net Services.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.