CVE-2024-47653

This vulnerability exists in Shilpi Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerability by placing or cancelling requests through API request body leading to unauthorized modification of requests belonging to the other users.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:shilpisoft:client_dashboard:*:*:*:*:*:*:*:*

History

16 Oct 2024, 15:13

Type	Values Removed	Values Added
Summary		(es) Esta vulnerabilidad existe en Shilpi Client Dashboard debido a la falta de autorización para solicitudes de modificación y cancelación a través de determinados endpoints de API. Un atacante remoto autenticado podría aprovechar esta vulnerabilidad al realizar o cancelar solicitudes a través del cuerpo de la solicitud de API, lo que provocaría una modificación no autorizada de las solicitudes pertenecientes a otros usuarios.
CPE		cpe:2.3:a:shilpisoft:client_dashboard::::::::
References	~~() https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313 -~~	() https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313 - Third Party Advisory
First Time		Shilpisoft client Dashboard Shilpisoft
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

04 Oct 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-04 13:15

Updated : 2024-10-16 15:13

NVD link : CVE-2024-47653

Mitre link : CVE-2024-47653

CVE.ORG link : CVE-2024-47653

JSON object : View

Products Affected

shilpisoft

client_dashboard

CWE

NVD-CWE-Other CWE-266

Incorrect Privilege Assignment

{"id": "CVE-2024-47653", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 7.1, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "LOW", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-04T13:15:11.563", "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313", "tags": ["Third Party Advisory"], "source": "vdisclose@cert-in.org.in"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "vdisclose@cert-in.org.in", "description": [{"lang": "en", "value": "CWE-266"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability exists in Shilpi Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerability by placing or cancelling requests through API request body leading to unauthorized modification of requests belonging to the other users."}, {"lang": "es", "value": "Esta vulnerabilidad existe en Shilpi Client Dashboard debido a la falta de autorizaci\u00f3n para solicitudes de modificaci\u00f3n y cancelaci\u00f3n a trav\u00e9s de determinados endpoints de API. Un atacante remoto autenticado podr\u00eda aprovechar esta vulnerabilidad al realizar o cancelar solicitudes a trav\u00e9s del cuerpo de la solicitud de API, lo que provocar\u00eda una modificaci\u00f3n no autorizada de las solicitudes pertenecientes a otros usuarios."}], "lastModified": "2024-10-16T15:13:52.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shilpisoft:client_dashboard:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC172203-D79B-43A2-A195-9C370BDEA79F", "versionEndExcluding": "9.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "vdisclose@cert-in.org.in"}