CVE-2024-28735

Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://financials.com	Broken Link
http://unit4.com	Product
https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html	Exploit Third Party Advisory
https://www.unit4.com/	Product
https://www.unit4.com/products/financial-management-software	Product
http://financials.com	Broken Link
http://unit4.com	Product
https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html	Exploit Third Party Advisory
https://www.unit4.com/	Product
https://www.unit4.com/products/financial-management-software	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:unit4:financials_by_coda:*:*:*:*:*:*:*:*

History

17 Jun 2025, 13:25

Type	Values Removed	Values Added
First Time		Unit4 Unit4 financials By Coda
CPE		cpe:2.3:a:unit4:financials_by_coda::::::::
References	~~() http://financials.com -~~	() http://financials.com - Broken Link
References	~~() http://unit4.com -~~	() http://unit4.com - Product
References	~~() https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html -~~	() https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html - Exploit, Third Party Advisory
References	~~() https://www.unit4.com/ -~~	() https://www.unit4.com/ - Product
References	~~() https://www.unit4.com/products/financial-management-software -~~	() https://www.unit4.com/products/financial-management-software - Product

Information

Published : 2024-03-20 15:15

Updated : 2025-06-17 13:25

NVD link : CVE-2024-28735

Mitre link : CVE-2024-28735

CVE.ORG link : CVE-2024-28735

JSON object : View

Products Affected

unit4

financials_by_coda

CWE

CWE-287

Improper Authentication

{"id": "CVE-2024-28735", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-03-20T15:15:07.920", "references": [{"url": "http://financials.com", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "http://unit4.com", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.unit4.com/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.unit4.com/products/financial-management-software", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "http://financials.com", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://unit4.com", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.unit4.com/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.unit4.com/products/financial-management-software", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request."}, {"lang": "es", "value": "Las versiones de Unit4 Financials by Coda anteriores al 2023Q4 sufren una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n de control de acceso incorrecto que permite a un usuario autenticado modificar la contrase\u00f1a de cualquier usuario de la aplicaci\u00f3n mediante una solicitud manipulada."}], "lastModified": "2025-06-17T13:25:30.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:unit4:financials_by_coda:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B7F43B0-CCAE-41A3-A07F-A29AC20F11FC", "versionEndExcluding": "2023q4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}