CVE-2024-48955 (GCVE-0-2024-48955)

Vulnerability from cvelistv5 – Published: 2024-10-29 00:00 – Updated: 2025-03-18 18:37
VLAI?
Summary
Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that "assembles" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:netadmin:netadmin:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "netadmin",
            "vendor": "netadmin",
            "versions": [
              {
                "status": "affected",
                "version": "4.0.30319"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-48955",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-30T15:07:38.307286Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-284",
                "description": "CWE-284 Improper Access Control",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-18T18:37:32.449Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that \"assembles\" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-31T19:52:01.655Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://netadmin.software/gestao-de-identidade-e-acesso/"
        },
        {
          "url": "https://github.com/BrotherOfJhonny/CVE-2024-48955_Overview"
        },
        {
          "url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2024-48955\u0026sortby=bydate"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-48955",
    "datePublished": "2024-10-29T00:00:00.000Z",
    "dateReserved": "2024-10-10T00:00:00.000Z",
    "dateUpdated": "2025-03-18T18:37:32.449Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-48955",
      "date": "2026-05-11",
      "epss": "0.14483",
      "percentile": "0.94492"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that \\\"assembles\\\" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied.\"}, {\"lang\": \"es\", \"value\": \" En NetAdmin 4.0.30319, un atacante puede robar una cookie de sesi\\u00f3n v\\u00e1lida e inyectarla en otro dispositivo, lo que le otorga acceso no autorizado. Este tipo de ataque se conoce com\\u00fanmente como secuestro de sesi\\u00f3n.\"}]",
      "id": "CVE-2024-48955",
      "lastModified": "2025-01-09T18:15:29.147",
      "published": "2024-10-29T18:15:05.690",
      "references": "[{\"url\": \"https://github.com/BrotherOfJhonny/CVE-2024-48955_Overview\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://netadmin.software/gestao-de-identidade-e-acesso/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://vulmon.com/vulnerabilitydetails?qid=CVE-2024-48955\u0026sortby=bydate\", \"source\": \"cve@mitre.org\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-48955\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-10-29T18:15:05.690\",\"lastModified\":\"2025-03-18T19:15:45.317\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that \\\"assembles\\\" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied.\"},{\"lang\":\"es\",\"value\":\" En NetAdmin 4.0.30319, un atacante puede robar una cookie de sesi\u00f3n v\u00e1lida e inyectarla en otro dispositivo, lo que le otorga acceso no autorizado. Este tipo de ataque se conoce com\u00fanmente como secuestro de sesi\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://github.com/BrotherOfJhonny/CVE-2024-48955_Overview\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://netadmin.software/gestao-de-identidade-e-acesso/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://vulmon.com/vulnerabilitydetails?qid=CVE-2024-48955\u0026sortby=bydate\",\"source\":\"cve@mitre.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-48955\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-30T15:07:38.307286Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:netadmin:netadmin:*:*:*:*:*:*:*:*\"], \"vendor\": \"netadmin\", \"product\": \"netadmin\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.30319\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-30T15:10:36.718Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://netadmin.software/gestao-de-identidade-e-acesso/\"}, {\"url\": \"https://github.com/BrotherOfJhonny/CVE-2024-48955_Overview\"}, {\"url\": \"https://vulmon.com/vulnerabilitydetails?qid=CVE-2024-48955\u0026sortby=bydate\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that \\\"assembles\\\" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-10-31T19:52:01.655Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-48955\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-18T18:37:32.449Z\", \"dateReserved\": \"2024-10-10T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2024-10-29T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.