GHSA-995c-qww8-64fj

Suggest an improvement
Source
https://github.com/advisories/GHSA-995c-qww8-64fj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-995c-qww8-64fj/GHSA-995c-qww8-64fj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-995c-qww8-64fj
Aliases
  • CVE-2024-55470
Published
2024-12-20T18:31:32Z
Modified
2024-12-20T20:12:20.256077Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Oqtane Framework Incorrect Access Control vulnerability
Details

Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

Database specific
{
    "nvd_published_at": "2024-12-20T16:15:23Z",
    "cwe_ids": [
        "CWE-290"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-20T19:40:51Z"
}
References

Affected packages

NuGet / Oqtane.Framework

Package

Name
Oqtane.Framework
View open source insights on deps.dev
Purl
pkg:nuget/Oqtane.Framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.0.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.3.0
2.3.1

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.4.3

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4

6.*

6.0.0

NuGet / Oqtane.Server

Package

Name
Oqtane.Server
View open source insights on deps.dev
Purl
pkg:nuget/Oqtane.Server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.0.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

2.*

2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.3.0
2.3.1

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.4.3

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6

5.*

5.0.0
5.0.1
5.0.2
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4

6.*

6.0.0