7.5

CVE-2024-50633

Exploit

EPSS 0.6%
Veröffentlicht 16.01.2025 18:15:24
Zuletzt bearbeitet 19.09.2025 18:48:08
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cern ≫ Indico Version >= 3.2.9 <= 3.3.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.6%	0.441

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cve@mitre.org	0	3.9	0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

https://github.com/cetinpy/CVE-2024-50633

Third Party Advisory

Exploit

https://github.com/cetinpy/CVE-2024-50633/issues/1

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-50633

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-50633

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-50633

EUVD