Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-50633

Good to know:

icon

Date: January 15, 2025

A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).

Severity Score

Related Resources (5)

https://github.com/cetinpy/CVE-2024-50633/issues/1
https://github.com/indico/indico
https://github.com/cetinpy/CVE-2024-50633
https://nvd.nist.gov/vuln/detail/CVE-2024-50633
https://www.mend.io/vulnerability-database/CVE-2024-50633

Weakness Type (CWE)

Missing Authorization

CWE-862

Insertion of Sensitive Information Into Sent Data

CWE-201

Authorization Bypass Through User-Controlled Key

CWE-639

Top Fix

icon

Upgrade Version

Upgrade to version indico - 3.3.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us