CVE-2024-9097 (GCVE-0-2024-9097)
Vulnerability from cvelistv5 – Published: 2025-02-05 12:40 – Updated: 2025-02-12 20:51
VLAI
EPSS
VEX
Title
IDOR
Summary
ManageEngine Endpoint Central versions before 11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ManageEngine | Endpoint Central |
Affected:
0 , < 11.3.2440.09
(11.3.2440.09)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T13:56:34.454181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:30.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/desktop-central/",
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Endpoint Central",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "11.3.2440.09",
"status": "affected",
"version": "0",
"versionType": "11.3.2440.09"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vishnu Das from Temenos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ManageEngine Endpoint Central versions before\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "ManageEngine Endpoint Central versions before\u00a011.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T12:40:15.257Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/desktop-central/cve-2024-9097.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "IDOR",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-9097",
"datePublished": "2025-02-05T12:40:15.257Z",
"dateReserved": "2024-09-23T04:18:05.868Z",
"dateUpdated": "2025-02-12T20:51:30.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-9097",
"date": "2026-07-13",
"epss": "0.00611",
"percentile": "0.45128"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-9097\",\"sourceIdentifier\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"published\":\"2025-02-05T13:15:23.237\",\"lastModified\":\"2026-06-17T08:23:57.000\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ManageEngine Endpoint Central versions before\u00a011.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.\"},{\"lang\":\"es\",\"value\":\"Las versiones ManageEngine Endpoint Central anteriores a la 11.3.2440.09 son afectados por la vulnerabilidad IDOR que permite al atacante cambiar el nombre de usuario en el chat.\"}],\"affected\":[{\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"affectedData\":[{\"vendor\":\"ManageEngine\",\"product\":\"Endpoint Central\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://www.manageengine.com/products/desktop-central/\",\"platforms\":[\"Windows\"],\"versions\":[{\"version\":\"0\",\"lessThan\":\"11.3.2440.09\",\"versionType\":\"11.3.2440.09\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-02-05T13:56:34.454181Z\",\"id\":\"CVE-2024-9097\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_endpoint_central:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.3.2428.01\",\"versionEndExcluding\":\"11.3.2428.26\",\"matchCriteriaId\":\"180A6A7F-33C2-48EE-AE5A-73DD1568FE4F\"}]}]}],\"references\":[{\"url\":\"https://www.manageengine.com/products/desktop-central/cve-2024-9097.html\",\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"tags\":[\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"current_release_date": "2025-05-28T22:18:38+00:00",
"cve": "CVE-2024-9097",
"id": "CVE-2024-9097",
"initial_release_date": "2024-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "IDOR",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-9097.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-9097\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-05T13:56:34.454181Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T20:43:05.541Z\"}}], \"cna\": {\"title\": \"IDOR\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Vishnu Das from Temenos\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"ManageEngine\", \"product\": \"Endpoint Central\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"11.3.2440.09\", \"versionType\": \"11.3.2440.09\"}], \"platforms\": [\"Windows\"], \"collectionURL\": \"https://www.manageengine.com/products/desktop-central/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.manageengine.com/products/desktop-central/cve-2024-9097.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ManageEngine Endpoint Central versions before\\u00a011.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"ManageEngine Endpoint Central versions before\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"0fc0942c-577d-436f-ae8e-945763c79b02\", \"shortName\": \"ManageEngine\", \"dateUpdated\": \"2025-02-05T12:40:15.257Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-9097\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T20:51:30.048Z\", \"dateReserved\": \"2024-09-23T04:18:05.868Z\", \"assignerOrgId\": \"0fc0942c-577d-436f-ae8e-945763c79b02\", \"datePublished\": \"2025-02-05T12:40:15.257Z\", \"assignerShortName\": \"ManageEngine\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…