CVE-2024-13173

CVE-2024-13173 is a vulnerability in the health module stemming from insufficient restrictions on loading URLs, which can result in information leakage. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-306 (Missing Authentication for Critical Function). The issue was published on 2025-01-08 and affects components within Vivo software, as detailed in the vendor's security advisory.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, allowing the attacker to access sensitive information through unrestricted URL loading in the health module, while integrity and availability remain unaffected.

Vivo has published a security advisory providing details on the vulnerability at https://www.vivo.com/en/support/security-advisory-detail?id=14, which security practitioners should consult for recommended mitigations and patches.