CVE-2024-51559

This vulnerability exists in the Wave 2.0 due to missing authorization check on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter “user_id” through API request URLs which could lead to unauthorized creation, modification and deletion of alerts belonging to other user accounts.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:63moons:aero:*:*:*:*:*:*:*:*
cpe:2.3:a:63moons:wave_2.0:*:*:*:*:*:*:*:*

History

08 Nov 2024, 15:19

Type Values Removed Values Added
CPE cpe:2.3:a:63moons:wave_2.0:*:*:*:*:*:*:*:*
cpe:2.3:a:63moons:aero:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
First Time 63moons wave 2.0
63moons
63moons aero
References () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332 - () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332 - Third Party Advisory
Summary
  • (es) Esta vulnerabilidad existe en Wave 2.0 debido a la falta de verificación de autorización en ciertos endpoints de API. Un atacante remoto autenticado podría aprovechar esta vulnerabilidad manipulando un parámetro “user_id” a través de las URL de solicitud de API, lo que podría provocar la creación, modificación y eliminación no autorizadas de alertas pertenecientes a otras cuentas de usuario.

04 Nov 2024, 13:17

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-04 13:17

Updated : 2024-11-08 15:19


NVD link : CVE-2024-51559

Mitre link : CVE-2024-51559

CVE.ORG link : CVE-2024-51559


JSON object : View

Products Affected

63moons

  • aero
  • wave_2.0
CWE
CWE-639

Authorization Bypass Through User-Controlled Key