CVE-2024-31525

Peppermint Ticket Management 0.4.6 is vulnerable to Incorrect Access Control. A regular registered user is able to elevate his privileges to admin and gain complete access to the system as the authorization mechanism is not validated on the server side and only on the client side. This can result, for example, in creating a new admin user in the system which enables persistent access for the attacker as an administrator.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cwe.mitre.org/data/definitions/285.html
https://github.com/Peppermint-Lab/peppermint/issues/258
https://github.com/Peppermint-Lab/peppermint/issues/258

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Peppermint Ticket Management 0.4.6 es vulnerable a un control de acceso incorrecto. Un usuario registrado normal puede elevar sus privilegios a administrador y obtener acceso completo al sistema, ya que el mecanismo de autorización no está validado en el lado del servidor, sino solo en el lado del cliente. Esto puede dar como resultado, por ejemplo, la creación de un nuevo usuario administrador en el sistema que permite el acceso persistente para el atacante como administrador.

06 Mar 2025, 15:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CWE		CWE-306
References	~~() https://github.com/Peppermint-Lab/peppermint/issues/258 -~~	() https://github.com/Peppermint-Lab/peppermint/issues/258 -

05 Mar 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-05 19:15

Updated : 2026-06-17 07:28

NVD link : CVE-2024-31525

Mitre link : CVE-2024-31525

CVE.ORG link : CVE-2024-31525

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2024-31525", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2024-31525", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2025-03-06T14:24:07.071915Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "affected": [{"source": "cve@mitre.org", "affectedData": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}]}], "published": "2025-03-05T19:15:37.340", "references": [{"url": "https://cwe.mitre.org/data/definitions/285.html", "source": "cve@mitre.org"}, {"url": "https://github.com/Peppermint-Lab/peppermint/issues/258", "source": "cve@mitre.org"}, {"url": "https://github.com/Peppermint-Lab/peppermint/issues/258", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Peppermint Ticket Management 0.4.6 is vulnerable to Incorrect Access Control. A regular registered user is able to elevate his privileges to admin and gain complete access to the system as the authorization mechanism is not validated on the server side and only on the client side. This can result, for example, in creating a new admin user in the system which enables persistent access for the attacker as an administrator."}, {"lang": "es", "value": "Peppermint Ticket Management 0.4.6 es vulnerable a un control de acceso incorrecto. Un usuario registrado normal puede elevar sus privilegios a administrador y obtener acceso completo al sistema, ya que el mecanismo de autorizaci\u00f3n no est\u00e1 validado en el lado del servidor, sino solo en el lado del cliente. Esto puede dar como resultado, por ejemplo, la creaci\u00f3n de un nuevo usuario administrador en el sistema que permite el acceso persistente para el atacante como administrador."}], "lastModified": "2026-06-17T07:28:34.297", "sourceIdentifier": "cve@mitre.org"}