CVE-2024-12306

Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c

Configurations

No configuration.

History

09 Dec 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-09 09:15

Updated : 2024-12-09 09:15

NVD link : CVE-2024-12306

Mitre link : CVE-2024-12306

CVE.ORG link : CVE-2024-12306

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

CWE-639

Authorization Bypass Through User-Controlled Key

4.3 /10