CVE-2024-28735

Published: Mar 20, 2024Modified: Jun 17, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request.

Affected (1)

Products: Unit4: Financials By Coda

Unit4

1 product

Financials By Coda

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Unit4 Financials By Coda	Before 2023q4

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (10)

http://financials.com

Source: cve@mitre.org

Broken Link

http://unit4.com

Source: cve@mitre.org

Product

https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.unit4.com/

Source: cve@mitre.org

Product

https://www.unit4.com/products/financial-management-software

Source: cve@mitre.org

Product

http://financials.com