CVE-2024-53855

EPSS 0.43%
Veröffentlicht 27.11.2024 19:15:33
Zuletzt bearbeitet 23.09.2025 13:05:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

User can view tickets from organizations they're not apart of in centurion_erp

Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nofusscomputing ≫ Centurion Erp Version >= 1.2.0 < 1.3.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.343

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	1.9	0.5	1.4	CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-653 Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

https://github.com/nofusscomputing/centurion_erp/pull/399

Issue Tracking

https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0

Patch

https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1

Release Notes

https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-53855

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-53855

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-53855

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-53855