exploitDog

CVE-2024-50633

Опубликовано: 16 янв. 2025

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).

Ссылки

https://github.com/cetinpy/CVE-2024-50633
Exploit
Third Party Advisory
https://github.com/cetinpy/CVE-2024-50633/issues/1
Issue Tracking

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*

Версия от 3.2.9 (включая) до 3.3.2 (включая)

EPSS

Процентиль: 91%

0.06448

Низкий

7.5 High

CVSS3

Дефекты

CWE-201

Связанные уязвимости

GHSA-3wg7-r7q5-r2jf

github

около 1 года назад

Indico Insecure Access

EPSS

Процентиль: 91%

0.06448

Низкий

7.5 High

CVSS3

Дефекты

CWE-201