CVE-2024-56883

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-56883
Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the "id" parameter is replaced with the ID of another user.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://cves.at/posts/cve-cve-2024-56883/writeup/
Configurations

No configuration.

History

19 Feb 2025, 15:15

Type Values Removed Values Added
Summary
  • (es) SAGE DPW antes de 2024_12_001 es vulnerable al control de acceso incorrecto. Los controles de acceso basados ??en roles implementados no siempre se aplican en el lado del servidor. Los usuarios de SAGE de bajo privilegio con permisos de roles de empleados pueden crear cursos externos para otros empleados, a pesar de que no tienen la opción de hacerlo en la interfaz de usuario. Para hacer esto, una solicitud válida para crear un curso simplemente debe modificarse, de modo que la ID de usuario actual en el parámetro "ID" se reemplace con la ID de otro usuario.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
CWE CWE-284

18 Feb 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-18 18:15

Updated : 2025-02-19 15:15

NVD link : CVE-2024-56883

Mitre link : CVE-2024-56883

CVE.ORG link : CVE-2024-56883

JSON object : View

Products Affected

No product.

CWE
CWE-284

Improper Access Control