Exploit
CVE-2024-9082
Improper Authorization (CWE-285)
Published: Sep 22, 2024 / Updated: 58d ago

010

CVSS 5.3EPSS 0.05%Medium

CVE info copied to clipboard

Summary

A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Users.phpf=save of the component User Creation Handler. The manipulation of the argument type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Impact

This vulnerability allows remote attackers to bypass authorization controls, potentially leading to unauthorized access to sensitive functionality or data. Given the critical rating and the CVSS v3.1 base score of 9.8, the impact is severe. Attackers could potentially gain full control over the affected system, compromising the confidentiality, integrity, and availability of data and services. This could result in unauthorized user account creation, modification of existing accounts, or access to privileged functions within the Online Eyewear Shop application.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability details have been published on vuldb.com, and patch information can be found at the following URLs: 1. https://vuldb.com/?ctiid.278252 2. https://vuldb.com/?id.278252 3. https://vuldb.com/?submit.411565

Mitigation

1. Apply the available patch immediately to SourceCodester Online Eyewear Shop version 1.0. 2. Implement proper authorization checks in the User Creation Handler, especially in the /Users.phpf=save file. 3. Validate and sanitize all user inputs, particularly those related to user type arguments. 4. Implement the principle of least privilege for all user accounts and system components. 5. Monitor for any suspicious activities or unauthorized access attempts, especially those targeting the User Creation Handler. 6. Consider implementing additional access controls and authentication mechanisms to protect sensitive functionality. 7. Regularly review and update security configurations for the web application and its underlying systems. 8. Conduct a thorough security audit of the entire application to identify and address any similar vulnerabilities.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X