Lucene search

CERT-InCVELIST:CVE-2024-45789

HistorySep 11, 2024 - 12:00 p.m.

CVE-2024-45789 Parameter Tampering Vulnerability

2024-09-1112:00:28

CWE-354

CERT-In

www.cve.org

cve-2024-45789

reedos aim-star

parameter tampering

api endpoint

registration process

authentication

remote attacker

constraint bypass

multiple accounts

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N

EPSS

Percentile

14.8%

JSON

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to improper validation of the ‘mode’ parameter in the API endpoint used during the registration process. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body on the vulnerable application.

Successful exploitation of this vulnerability could allow the attacker to bypass certain constraints in the registration process leading to creation of multiple accounts.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mutual Fund Distribution Product (aiM-Star)",
    "vendor": "Reedos Software Solutions",
    "versions": [
      {
        "status": "affected",
        "version": "2.0.1"
      }
    ]
  }
]

References

www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0291

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N

EPSS

Percentile

14.8%

JSON

Related for CVELIST:CVE-2024-45789