CVE-2024-12048

{"id": "CVE-2024-12048", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:26.503", "references": [{"url": "https://huntr.com/bounties/6def3e3a-c443-44bb-b20e-3e69b48f37dc", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/6def3e3a-c443-44bb-b20e-3e69b48f37dc", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-304"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but are not limited to /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id}, and /get/user/{user_id}."}, {"lang": "es", "value": "Existe una vulnerabilidad IDOR (Referencia Directa a Objetos Insegura) en transformeroptimus/superagi versi\u00f3n v0.0.14. La aplicaci\u00f3n no verifica correctamente la autorizaci\u00f3n de varios endpoints de API, lo que permite a los atacantes ver, editar y eliminar la informaci\u00f3n de otros usuarios sin la debida autorizaci\u00f3n. Los endpoints afectados incluyen, entre otros, /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id} y /get/user/{user_id}."}], "lastModified": "2025-07-18T19:58:36.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:superagi:superagi:0.0.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C63CFCE-4FB2-47EC-A731-8C17458675D3"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}