CVE-2024-4843

Published: May 16, 2024Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: trellixpsirt@trellix.com (Secondary)

Description

ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege.

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://thrive.trellix.com/s/article/000013505

Source: trellixpsirt@trellix.com

https://thrive.trellix.com/s/article/000013505

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.