CVE-2024-12307 (GCVE-0-2024-12307)

Vulnerability from cvelistv5 – Published: 2024-12-09 08:50 – Updated: 2024-12-09 15:28
VLAI?
Title
Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform
Summary
A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Unifiedtransform Unifiedtransform Affected: 2.0
Create a notification for this product.
Credits
ZHAW Information Security Research Group
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "unifiedtransform",
            "vendor": "unifiedtransform",
            "versions": [
              {
                "status": "affected",
                "version": "2.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12307",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-09T15:24:28.435025Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-09T15:28:13.019Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Unifiedtransform",
          "programFiles": [
            "https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L132"
          ],
          "repo": "https://github.com/changeweb/Unifiedtransform",
          "vendor": "Unifiedtransform",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ZHAW Information Security Research Group"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.\u003cbr\u003e"
            }
          ],
          "value": "A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-09T08:50:45.498Z",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2024-12307",
    "datePublished": "2024-12-09T08:50:45.498Z",
    "dateReserved": "2024-12-06T15:05:34.408Z",
    "dateUpdated": "2024-12-09T15:28:13.019Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de control de acceso a nivel de funci\\u00f3n en Unifiedtransform versi\\u00f3n 2.0 y posiblemente versiones anteriores permite a los profesores modificar los datos personales de los estudiantes sin la debida autorizaci\\u00f3n. La vulnerabilidad existe debido a la falta de controles de acceso en la funcionalidad de edici\\u00f3n de estudiantes. En el momento de la publicaci\\u00f3n de la CVE no hay ning\\u00fan parche disponible.\"}]",
      "id": "CVE-2024-12307",
      "lastModified": "2024-12-09T09:15:05.433",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"vulnerability@ncsc.ch\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-12-09T09:15:05.433",
      "references": "[{\"url\": \"https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c\", \"source\": \"vulnerability@ncsc.ch\"}]",
      "sourceIdentifier": "vulnerability@ncsc.ch",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"vulnerability@ncsc.ch\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-12307\",\"sourceIdentifier\":\"vulnerability@ncsc.ch\",\"published\":\"2024-12-09T09:15:05.433\",\"lastModified\":\"2024-12-09T09:15:05.433\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de control de acceso a nivel de funci\u00f3n en Unifiedtransform versi\u00f3n 2.0 y posiblemente versiones anteriores permite a los profesores modificar los datos personales de los estudiantes sin la debida autorizaci\u00f3n. La vulnerabilidad existe debido a la falta de controles de acceso en la funcionalidad de edici\u00f3n de estudiantes. En el momento de la publicaci\u00f3n de la CVE no hay ning\u00fan parche disponible.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"vulnerability@ncsc.ch\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"vulnerability@ncsc.ch\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c\",\"source\":\"vulnerability@ncsc.ch\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12307\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-09T15:24:28.435025Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:unifiedtransform:unifiedtransform:*:*:*:*:*:*:*:*\"], \"vendor\": \"unifiedtransform\", \"product\": \"unifiedtransform\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-09T15:25:13.256Z\"}}], \"cna\": {\"title\": \"Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"ZHAW Information Security Research Group\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/changeweb/Unifiedtransform\", \"vendor\": \"Unifiedtransform\", \"product\": \"Unifiedtransform\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0\"}], \"programFiles\": [\"https://github.com/changeweb/Unifiedtransform/blob/fac7f551ff9284f9586a6644b057b76c1254c194/app/Http/Controllers/UserController.php#L132\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c\", \"tags\": [\"exploit\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the time of publication of the CVE no patch is available.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"455daabc-a392-441d-aa46-37d35189897c\", \"shortName\": \"NCSC.ch\", \"dateUpdated\": \"2024-12-09T08:50:45.498Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-12307\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-09T15:28:13.019Z\", \"dateReserved\": \"2024-12-06T15:05:34.408Z\", \"assignerOrgId\": \"455daabc-a392-441d-aa46-37d35189897c\", \"datePublished\": \"2024-12-09T08:50:45.498Z\", \"assignerShortName\": \"NCSC.ch\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.