GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.</p> CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.</p> CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>

CVE-2024-38164

Improper Access Control (CWE-284)

Published: Jul 23, 2024

010
CVSS 8.8EPSS 0.09%High
CVE info copied to clipboard

Summary

An improper access control vulnerability in GroupMe allows an unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link. This vulnerability affects the GroupMe application developed by Microsoft.

Impact

The vulnerability has a high impact on confidentiality, integrity, and availability. If exploited, it could lead to: 1. Unauthorized access to sensitive information 2. Modification of data within the GroupMe application 3. Disruption of GroupMe services 4. Elevated privileges for the attacker within the affected system The attack vector is network-based, requiring user interaction (clicking a malicious link), which slightly reduces the ease of exploitation but still poses a significant risk. The CVSS v3.1 base score is 8.8 (High severity), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impacts on confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability. The patch was added on 2024-07-23, and security teams should prioritize applying this update to all affected GroupMe installations.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible to all affected GroupMe installations. 2. Educate users about the risks of clicking on unknown or suspicious links, especially within the GroupMe application. 3. Implement network segmentation to limit the potential spread if the vulnerability is exploited. 4. Apply the principle of least privilege to minimize the impact of successful attacks. 5. Monitor for unusual activity or unauthorized privilege escalations in the GroupMe application. 6. Consider implementing additional access controls and authentication measures for critical functions within GroupMe. 7. Regularly update and patch the GroupMe application as part of ongoing security maintenance.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVSS

A CVSS base score of 9.6 has been assigned.

Jul 23, 2024 at 9:30 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-38164. See article

Jul 23, 2024 at 9:31 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 23, 2024 at 9:33 PM
CVE Assignment

NVD published the first details for CVE-2024-38164

Jul 23, 2024 at 10:15 PM
Trending

This CVE started to trend in security discussions

Jul 24, 2024 at 2:18 AM
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.4%)

Jul 24, 2024 at 9:39 AM
Trending

This CVE stopped trending in security discussions

Jul 26, 2024 at 1:10 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Sep 5, 2024 at 10:05 PM / nvd
Static CVE Timeline Graph

Affected Systems

Microsoft/groupme
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1546.004:
+null more

Attack Patterns

CAPEC-19: Embedding Scripts within Scripts
+null more

References

CVE-2024-38164 - Security Update Guide - Microsoft - GroupMe Elevation of Privilege Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
GroupMe Elevation of Privilege Vulnerability
An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link. Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?
CVE-2024-38164 GroupMe Elevation of Privilege Vulnerability
An improper access control vulnerability in [GroupMe](https://groupme.com/) allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.

News

TSecurity Advisory: GroupMe Elevation of Privilege Vulnerability (CVE-2024–38164)
Released: July 23, 2024 Assigning CNA: Microsoft Continue reading on Aardvark Infinity »
Vulnerability Summary for the Week of July 22, 2024
Vulnerability Summary for the Week of July 22, 2024 bjackson Jul 29, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info 202ecommerce--paypal In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order. This could allow a threat actor to confirm an order with a fraudulent payment support. Versions 6.4.2 and 3.18.1 contain a patch for the issue. Additionally, users enable webhooks and check they are callable. 2024-07-26 7.5 CVE-2024-41670 security-advisories@github.com ABB--Advant MOD 300 AdvaBuild AdvaBuild uses a command queue to launch certain operations. An attacker who gains access to the command queue can use it to launch an attack by running any executable on the AdvaBuild node. The executables that can be run are not limited to AdvaBuild specific executables. Improper Privilege Management vulnerability in ABB Advant MOD 300 AdvaBuild.This issue affects Advant MOD 300 AdvaBuild: from 3.0 through 3.7 SP2. 2024-07-23 8.8 CVE-2020-11640 cybersecurity@ch.abb.com ABB--Advant MOD 300 AdvaBuild An attacker could exploit the vulnerability by injecting garbage data or specially crafted data.
dealtown - @RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 29 - SANS Institute
Product: D-Link DNS-320L CVSS Score: 0 ** KEV since 2024-04-11 ** NVD: ISC Diary: ISC Podcast: CVE-2024-20401 - Cisco Secure Email Gateway is vulnerable to remote attackers overwriting arbitrary files on the underlying operating system due to improper handling of email attachments, potentially leading to unauthorized access, configuration modification, code execution, or a denial of service situation requiring manual recovery. Product: Cisco Secure Email Gateway CVSS Score: 9.8 NVD: ISC Podcast: NVD References: CVE-2024-20419 - Cisco Smart Software Manager On-Prem (SSM On-Prem) has a vulnerability that allows unauthenticated attackers to change any user's password, including administrative users, due to improper implementation of the password-change process.
In Other News: FBI Cyber Action Team, Pentagon IT Firm Leak, Nigerian Gets 12 Years in Prison
The FBI has published a story on its Cyber Action Team, which can be deployed across the world within hours to help critical infrastructure organizations respond to cyberattacks and other threats. Web3 identity solutions provider Fractal ID revealed that a threat actor recently managed to exfiltrate data belonging to 6,300 users — representing less than 1% of its user base — after compromising credentials for an operator account that had admin privileges.
Multiple vulnerabilities in Microsoft GroupMe
The vulnerability exists due to improper access restrictions in GroupMe. A remote attacker can trick a victim to click on a malicious link and gain elevated privileges on the system. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
See 16 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI