Improper access control

Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI...

CVE-2024-25650

Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key used to encrypt RabbitMQ messages via crafted payloads to the /pre-authenticate, /authenticate, and /execute-and-respond REST API endpoints. This...

CVE-2024-25651

User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint...

CVE-2024-25653

Delinea PAM Secret Server 11.4 exposes a Broken Access Control in the Web UI Report functionality (Unlimited Admin Mode) that allows unprivileged users to view system reports and modify custom reports. Root cause: access control bypass within the Reports feature. Affected component: Report module...

CVE-2024-25651

CVE-2024-25651 affects Delinea PAM Secret Server 11.4. The authentication REST API is vulnerable to user enumeration: responses from the /oauth2/token endpoint differ for valid versus invalid usernames, allowing a remote attacker to determine valid users. Root cause: differing handling of authent...

PT-2024-21069 · Delinea · Delinea Pam Secret Server

Name of the Vulnerable Software and Affected Versions: Delinea PAM Secret Server version 11.4 Description: The issue allows unprivileged users to view system reports and modify custom reports via the Report functionality in the Web UI when Unlimited Admin Mode is enabled. Recommendations: For...