CVE-2024-7040

{"id": "CVE-2024-7040", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2025-03-20T10:15:35.607", "references": [{"url": "https://huntr.com/bounties/bd182309-4aa4-4747-941e-bbc1741955c1", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts."}, {"lang": "es", "value": "En la versi\u00f3n v0.3.8 de open-webui/open-webui, existe una vulnerabilidad de control de acceso indebido. En la p\u00e1gina de administraci\u00f3n del frontend, los administradores solo pueden ver los chats de miembros no administradores. Sin embargo, modificando el par\u00e1metro user_id, es posible ver los chats de cualquier administrador, incluidos los de otras cuentas de administrador (propietario)."}], "lastModified": "2025-07-18T19:44:41.813", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openwebui:open_webui:0.3.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BFA5C2D-BD4F-4BD5-8D4E-D3BE4036FFA4"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}