GHSA-2hr5-cvwp-jr5w

Suggest an improvement
Source
https://github.com/advisories/GHSA-2hr5-cvwp-jr5w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-2hr5-cvwp-jr5w/GHSA-2hr5-cvwp-jr5w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2hr5-cvwp-jr5w
Aliases
  • CVE-2024-55186
Published
2024-12-20T18:31:32Z
Modified
2024-12-20T21:47:48.803649Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Oqtane Framework Insecure Direct Object Reference vulnerability
Details

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

Database specific
{
    "nvd_published_at": "2024-12-20T16:15:23Z",
    "cwe_ids": [
        "CWE-639",
        "CWE-863"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-20T19:40:59Z"
}
References

Affected packages

NuGet / Oqtane.Framework

Package

Name
Oqtane.Framework
View open source insights on deps.dev
Purl
pkg:nuget/Oqtane.Framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.0.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.3.0
2.3.1

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.4.3

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4

6.*

6.0.0

NuGet / Oqtane.Client

Package

Name
Oqtane.Client
View open source insights on deps.dev
Purl
pkg:nuget/Oqtane.Client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.0.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.3.0
2.3.1

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.4.3

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4

6.*

6.0.0

NuGet / Oqtane.Server

Package

Name
Oqtane.Server
View open source insights on deps.dev
Purl
pkg:nuget/Oqtane.Server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.0.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.3.0
2.3.1

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.4.3

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4

6.*

6.0.0

NuGet / Oqtane.Shared

Package

Name
Oqtane.Shared
View open source insights on deps.dev
Purl
pkg:nuget/Oqtane.Shared

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.0.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.3.0
2.3.1

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.4.3

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4

6.*

6.0.0