6.3 CVE-2024-11485

 

A vulnerability, which was classified as critical, has been found in Code4Berry Decoration Management System 1.0. Affected by this issue is some unknown functionality of the file /decoration/admin/userregister.php of the component User Handler. The manipulation leads to permission issues. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
https://nvd.nist.gov/vuln/detail/CVE-2024-11485

Categories

CWE-266 : Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. untrusted user placed in unix "wheel" group Product allows users to grant themselves certain rights that can be used to escalate privileges. Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. Product mistakenly assigns a particular status to an entity, leading to increased privileges.

References


 

CPE

cpe start end


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
No entry