CVE-2024-4447

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-4447
In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.dotcms.com/security/SI-72
Configurations

No configuration.

History

26 Jul 2024, 14:15

Type Values Removed Values Added
Summary (en) In the System ? Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS (en) In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS
References
  • {'url': 'https://auth.dotcms.com/security/SI-72', 'source': 'security@dotcms.com'}
  • () https://www.dotcms.com/security/SI-72 -

26 Jul 2024, 12:38

Type Values Removed Values Added
Summary
  • (es) En System ? Maintenance tool, la pestaña Logged Users muestra datos de ID de sesión para todos los usuarios a través de las llamadas Direct Web Remoting API (UserSessionAjax.getSessionList.dwr). Si bien esta es información que estaría y debería estar disponible para los administradores que poseen poderes de "Sign In As", los administradores que de otro modo carecerían de este privilegio aún podrían utilizar las ID de sesión para imitar a otros usuarios. Si bien se trata de un vector de ataque muy pequeño que requiere permisos muy elevados para su ejecución, su peligro radica principalmente en ofuscar la atribución; todas las operaciones de Sign In As se atribuyen adecuadamente en los archivos de registro, y un administrador malintencionado podría usar esta información para hacer que sus transacciones sean imposibles de rastrear (incluidos aquellos administradores a quienes no se les ha otorgado esta capacidad), como mediante el uso de una ID de sesión para generar un token API. . Corregido en: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS
Summary (en) In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS (en) In the System ? Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS

26 Jul 2024, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-26 02:15

Updated : 2024-07-26 14:15

NVD link : CVE-2024-4447

Mitre link : CVE-2024-4447

CVE.ORG link : CVE-2024-4447

JSON object : View

Products Affected

No product.

CWE
CWE-863

Incorrect Authorization