fkie_cve-2024-55186
Vulnerability from fkie_nvd
Published
2024-12-20 16:15
Modified
2024-12-20 21:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
An IDOR (Insecure Direct Object Reference) vulnerability exists in oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.
References
cve@mitre.orghttps://gist.github.com/SmitShah1518/00de9ecc46c1a8e2b189185c9d92afb0
cve@mitre.orghttps://github.com/oqtane/oqtane.framework/pull/4876/files
134c704f-9b21-4f2e-91b3-4a467353bcc0https://gist.github.com/SmitShah1518/00de9ecc46c1a8e2b189185c9d92afb0
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An IDOR (Insecure Direct Object Reference) vulnerability exists in oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad IDOR (Insecure Direct Object Reference, referencia directa a objetos inseguros) en oqtane Framework 6.0.0, que permite a un usuario conectado acceder a los mensajes de la bandeja de entrada de otros usuarios manipulando el ID de notificaci\u00f3n en la URL de solicitud. Al cambiar el ID de notificaci\u00f3n, un atacante puede ver detalles confidenciales de correo electr\u00f3nico que pertenecen a otros usuarios."
    }
  ],
  "id": "CVE-2024-55186",
  "lastModified": "2024-12-20T21:15:08.850",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-20T16:15:23.853",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://gist.github.com/SmitShah1518/00de9ecc46c1a8e2b189185c9d92afb0"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/oqtane/oqtane.framework/pull/4876/files"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://gist.github.com/SmitShah1518/00de9ecc46c1a8e2b189185c9d92afb0"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.