CVE-2024-40480

A Broken Access Control vulnerability was found in /admin/update.php and /admin/dashboard.php in Kashipara Online Exam System v1.0, which allows remote unauthenticated attackers to view administrator dashboard and delete valid user accounts via the direct URL access.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Online%20Exam%20System%20v1.0/Broken%20Access%20Control%20-%20Admin%20Dashboard%20and%20User%20Deletion.pdf	Third Party Advisory
https://www.kashipara.com/project/php/3/online-exam-php-project-source-code-download	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:jayesh:online_exam_system:1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-08-12 13:38

Updated : 2025-03-14 16:15

NVD link : CVE-2024-40480

Mitre link : CVE-2024-40480

CVE.ORG link : CVE-2024-40480

JSON object : View

Products Affected

jayesh

online_exam_system

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2024-40480", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-08-12T13:38:29.003", "references": [{"url": "https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Online%20Exam%20System%20v1.0/Broken%20Access%20Control%20-%20Admin%20Dashboard%20and%20User%20Deletion.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.kashipara.com/project/php/3/online-exam-php-project-source-code-download", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "A Broken Access Control vulnerability was found in /admin/update.php and /admin/dashboard.php in Kashipara Online Exam System v1.0, which allows remote unauthenticated attackers to view administrator dashboard and delete valid user accounts via the direct URL access."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de control de acceso roto en /admin/update.php y /admin/dashboard.php en Kashipara Online Exam System v1.0, que permite a atacantes remotos no autenticados ver el panel del administrador y eliminar cuentas de usuario v\u00e1lidas a trav\u00e9s del acceso URL directo."}], "lastModified": "2025-03-14T16:15:33.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jayesh:online_exam_system:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2CABE8E7-7159-40FF-9FF7-6608FB08D0D5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}