CVE-2024-53855

Nov. 27, 2024, 7:15 p.m.

1.9
Low

Description

Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.

Product(s) Impacted

Product Versions
Centurion ERP
  • ['1.3.1']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-653
Improper Isolation or Compartmentalization
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

References

https://github.com/nofusscomputing/centurion_erp/pull/399
https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0
https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1
https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c

Tags

security-advisories@github.com
CWE-653
2024-11-27
CVE-2024-53855

CVSS Score

1.9 / 10

CVSS Data - 3.1

  • Attack Vector: PHYSICAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Nov. 27, 2024, 7:15 p.m.
Last Modified: Nov. 27, 2024, 7:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.