CVE-2024-0949

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-0949
Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0808
https://www.usom.gov.tr/bildirim/tr-24-0808
https://www.usom.gov.tr/bildirim/tr-24-0808
Configurations

No configuration.

History

03 Jun 2026, 16:16

Type Values Removed Values Added
Summary (en) Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. (en) Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68.
References
  • () https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0808 -

14 Oct 2025, 13:15

Type Values Removed Values Added
Summary (en) Improper Access Control, Missing Authorization, Incorrect Authorization, Incorrect Permission Assignment for Critical Resource, Missing Authentication, Weak Authentication, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Talya Informatics Elektraweb allows Exploiting Incorrectly Configured Access Control Security Levels, Manipulating Web Input to File System Calls, Embedding Scripts within Scripts, Malicious Logic Insertion, Modification of Windows Service Configuration, Malicious Root Certificate, Intent Spoof, WebView Exposure, Data Injected During Configuration, Incomplete Data Deletion in a Multi-Tenant Environment, Install New Service, Modify Existing Service, Install Rootkit, Replace File Extension Handlers, Replace Trusted Executable, Modify Shared File, Add Malicious File to Shared Webroot, Run Software at Logon, Disable Security Software.This issue affects Elektraweb: before v17.0.68. (en) Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68.
CWE CWE-862
CWE-284
CWE-1390
CWE-923
CWE-732
CWE-863		 CWE-798
CWE-552

21 Nov 2024, 08:47

Type Values Removed Values Added
References () https://www.usom.gov.tr/bildirim/tr-24-0808 - () https://www.usom.gov.tr/bildirim/tr-24-0808 -

27 Jun 2024, 12:47

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidades de control de acceso inadecuado, autorización faltante, autorización incorrecta, asignación de permisos incorrecta para recursos críticos, autenticación faltante, autenticación débil, restricción inadecuada del canal de comunicación a los endpoint previstos en Talya Informatics Elektraweb permiten explotar niveles de seguridad de control de acceso configurados incorrectamente, manipular la entrada web a las Llamadas al sistema de archivos, incrustación de scripts dentro de scripts, inserción de lógica maliciosa, modificación de la configuración del servicio de Windows, certificado raíz malicioso, intento de falsificación , exposición de WebView, datos inyectados durante la configuración, eliminación incompleta de datos en un entorno multi tenant, instalación de un nuevo servicio, modificación de un servicio existente , Instalar Rootkit, Reemplazar controladores de extensión de archivos, Reemplazar ejecutable confiable, Modificar archivo compartido, Agregar archivo malicioso a Webroot compartido, Ejecutar software al iniciar sesión, Deshabilitar software de seguridad. Este problema afecta a Elektraweb: anterior a v17.0.68.

27 Jun 2024, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-27 10:15

Updated : 2026-06-03 16:16

NVD link : CVE-2024-0949

Mitre link : CVE-2024-0949

CVE.ORG link : CVE-2024-0949

JSON object : View

Products Affected

No product.

CWE
CWE-306

Missing Authentication for Critical Function

CWE-552

Files or Directories Accessible to External Parties

CWE-798

Use of Hard-coded Credentials