CVE-2024-12306

Dec. 9, 2024, 9:15 a.m.

4.3
Medium

Description

Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints and object-level access control issues in profile viewing endpoints. A malicious student user can access personal information of other students and teachers through these vulnerabilities. At the time of publication of the CVE no patch is available.

Product(s) Impacted

Product Versions
Unifiedtransform
  • 2.0
  • potentially earlier versions

Weaknesses

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://huntr.com/bounties/90a7299e-9233-43fd-b666-7375c4fdbb3c

Tags

CWE-284
vulnerability@ncsc.ch
2024-12-09
CVE-2024-12306

CVSS Score

4.3 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Date

  • Published: Dec. 9, 2024, 9:15 a.m.
  • Last Modified: Dec. 9, 2024, 9:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

vulnerability@ncsc.ch

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.