CVE-2024-49373

No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae	Patch
https://github.com/nofusscomputing/centurion_erp/pull/358	Patch
https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nofusscomputing:centurion_erp:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-10-22 16:15

Updated : 2024-10-30 21:16

NVD link : CVE-2024-49373

Mitre link : CVE-2024-49373

CVE.ORG link : CVE-2024-49373

JSON object : View

Products Affected

nofusscomputing

centurion_erp

CWE

CWE-653

Improper Isolation or Compartmentalization

NVD-CWE-noinfo

{"id": "CVE-2024-49373", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-10-22T16:15:08.860", "references": [{"url": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nofusscomputing/centurion_erp/pull/358", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-653"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem."}, {"lang": "es", "value": " No Fuss Computing Centurion ERP es un software de planificaci\u00f3n de recursos empresariales (ERP) de c\u00f3digo abierto. Antes de la versi\u00f3n 1.2.1, un usuario autenticado pod\u00eda ver proyectos dentro de organizaciones de las que no formaba parte. La versi\u00f3n 1.2.1 soluciona el problema."}], "lastModified": "2024-10-30T21:16:59.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nofusscomputing:centurion_erp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4A55D5-C672-4ED6-B9F6-A93AFFE1990C", "versionEndExcluding": "1.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}