GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.</p> CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.</p> CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>
Improper Access Control (CWE-284)
An improper access control vulnerability in GroupMe allows an unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link. This vulnerability affects the GroupMe application developed by Microsoft.
The vulnerability has a high impact on confidentiality, integrity, and availability. If exploited, it could lead to: 1. Unauthorized access to sensitive information 2. Modification of data within the GroupMe application 3. Disruption of GroupMe services 4. Elevated privileges for the attacker within the affected system The attack vector is network-based, requiring user interaction (clicking a malicious link), which slightly reduces the ease of exploitation but still poses a significant risk. The CVSS v3.1 base score is 8.8 (High severity), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impacts on confidentiality, integrity, and availability.
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
A patch is available. Microsoft has released an official fix for this vulnerability. The patch was added on 2024-07-23, and security teams should prioritize applying this update to all affected GroupMe installations.
1. Apply the official patch released by Microsoft as soon as possible to all affected GroupMe installations. 2. Educate users about the risks of clicking on unknown or suspicious links, especially within the GroupMe application. 3. Implement network segmentation to limit the potential spread if the vulnerability is exploited. 4. Apply the principle of least privilege to minimize the impact of successful attacks. 5. Monitor for unusual activity or unauthorized privilege escalations in the GroupMe application. 6. Consider implementing additional access controls and authentication measures for critical functions within GroupMe. 7. Regularly update and patch the GroupMe application as part of ongoing security maintenance.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A CVSS base score of 9.6 has been assigned.
Feedly found the first article mentioning CVE-2024-38164. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-38164
This CVE started to trend in security discussions
EPSS Score was set to: 0.09% (Percentile: 39.4%)
This CVE stopped trending in security discussions
A CVSS base score of 8.8 has been assigned.