Lucene search

CERT-InVULNRICHMENT:CVE-2024-45789

HistorySep 11, 2024 - 12:00 p.m.

CVE-2024-45789 Parameter Tampering Vulnerability

2024-09-1112:00:28

CWE-354

CERT-In

github.com

cve-2024

reedos aim-star

parameter tampering

api endpoint

registration process

remote attacker

exploitation

constraints bypass

multiple accounts

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N

AI Score

6.8

Confidence

Low

EPSS

Percentile

14.8%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to improper validation of the ‘mode’ parameter in the API endpoint used during the registration process. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body on the vulnerable application.

Successful exploitation of this vulnerability could allow the attacker to bypass certain constraints in the registration process leading to creation of multiple accounts.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:reedos:aim-star:*:*:*:*:*:*:*:*"
    ],
    "vendor": "reedos",
    "product": "aim-star",
    "versions": [
      {
        "status": "affected",
        "version": "2.0.1"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0291

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N

AI Score

6.8

Confidence

Low

EPSS

Percentile

14.8%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-45789