CVE-2024-28735

Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://financials.com
http://unit4.com
https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html
https://www.unit4.com/
https://www.unit4.com/products/financial-management-software
http://financials.com
http://unit4.com
https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html
https://www.unit4.com/
https://www.unit4.com/products/financial-management-software

Configurations

No configuration.

History

No history.

Information

Published : 2024-03-20 15:15

Updated : 2024-11-21 09:06

NVD link : CVE-2024-28735

Mitre link : CVE-2024-28735

CVE.ORG link : CVE-2024-28735

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

{"id": "CVE-2024-28735", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-03-20T15:15:07.920", "references": [{"url": "http://financials.com", "source": "cve@mitre.org"}, {"url": "http://unit4.com", "source": "cve@mitre.org"}, {"url": "https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html", "source": "cve@mitre.org"}, {"url": "https://www.unit4.com/", "source": "cve@mitre.org"}, {"url": "https://www.unit4.com/products/financial-management-software", "source": "cve@mitre.org"}, {"url": "http://financials.com", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://unit4.com", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.unit4.com/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.unit4.com/products/financial-management-software", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request."}, {"lang": "es", "value": "Las versiones de Unit4 Financials by Coda anteriores al 2023Q4 sufren una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n de control de acceso incorrecto que permite a un usuario autenticado modificar la contrase\u00f1a de cualquier usuario de la aplicaci\u00f3n mediante una solicitud manipulada."}], "lastModified": "2024-11-21T09:06:51.010", "sourceIdentifier": "cve@mitre.org"}