← Back

CVE-2024-56883

nvd nist
Published: Feb 18, 2025Modified: Sep 25, 2025

JSON object

Loading...
8.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Exploitability: 2.8 / Impact: 5.2
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the "id" parameter is replaced with the ID of another user.

Affected (1)

Products: Sagedpw: Sage Dpw
Sagedpw
1 product
Sage Dpw
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Sage Dpw
Before 2024_12_001

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (1)

Source: cve@mitre.org
ExploitThird Party Advisory

Timeline

No history available yet.