CVE-2024-55470 – oqtane.server

Package

Manager: nuget
Name: oqtane.server
Vulnerable Version: >=0 <=6.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS: 0.00146 pctl0.35577

Details

Oqtane Framework Incorrect Access Control vulnerability Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

Metadata

Created: 2024-12-20T18:31:32Z
Modified: 2024-12-20T19:40:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-995c-qww8-64fj/GHSA-995c-qww8-64fj.json
CWE IDs: ["CWE-290"]
Alternative ID: GHSA-995c-qww8-64fj
Finding: F032
Auto approve: 1