CVE-2024-55186 – oqtane.client

Package

Manager: nuget
Name: oqtane.client
Vulnerable Version: >=0 <=6.0.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS: 0.00075 pctl0.23143

Details

Oqtane Framework Insecure Direct Object Reference vulnerability An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

Metadata

Created: 2024-12-20T18:31:32Z
Modified: 2024-12-20T21:37:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-2hr5-cvwp-jr5w/GHSA-2hr5-cvwp-jr5w.json
CWE IDs: ["CWE-639", "CWE-863"]
Alternative ID: GHSA-2hr5-cvwp-jr5w
Finding: F039
Auto approve: 1