CVE-2024-56883

High CVSS: 8.1

Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the "id" parameter is replaced with the ID of another user.

Vendor

Sagedpw

Product

Sage Dpw

CWE

CWE-284

Yayın Tarihi

2025-02-18 18:15:27

Güncelleme

2025-09-25 13:27:35

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-284 Sage Dpw HIGH Sagedpw 2025

Referanslar

https://cves.at/posts/cve-cve-2024-56883/writeup/

Benzer Kayıtlar

Medium

CVE-2025-67805

A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Dat…

Low

CVE-2025-67806

The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumer…

Medium

CVE-2025-67807

The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumer…

Medium

CVE-2025-51533

An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access in…

Medium

CVE-2025-51531

A reflected cross-site scripting (XSS) vulnerability in Sage DPW 2024_12_004 and earlier allows attackers to execute arb…

High

CVE-2025-51532

Incorrect access control in Sage DPW 2024_12_004 and earlier allows unauthorized attackers to access the built-in Databa…