CVE-2024-27292 Docassemble unauthorized access through URL manipulation

2024-02-2921:56:39

CWE-706

GitHub_M

www.cve.org

docassemble expert system

guided interviews

document assembly

unauthorized access

url manipulation

information disclosure

vulnerability

patched

version 1.4.97

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

21.7%

JSON

Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.

CNA Affected

[
  {
    "vendor": "jhpyle",
    "product": "docassemble",
    "versions": [
      {
        "version": ">= 1.4.53, < 1.4.97",
        "status": "affected"
      }
    ]
  }
]