{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4538", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-05-06T09:57:42.029Z", "datePublished": "2024-05-07T11:35:47.621Z", "dateUpdated": "2024-08-01T20:40:47.514Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Janto Ticketing Software", "vendor": "Impronta", "versions": [{"status": "affected", "version": "4.3r10.cks"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Alejandro Amor\u00edn Ni\u00f1o"}], "datePublic": "2024-05-06T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain a user's event ticket by creating a specific request with the ticket reference ID, leading to the exposure of sensitive user data."}], "value": "IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain a user's event ticket by creating a specific request with the ticket reference ID, leading to the exposure of sensitive user data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-05-07T11:35:47.621Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto-ticketing-software"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerabilities were fixed by the Impronta team in version 10.cks, released in November 2022. Following INCIBE's notification of the vulnerability, Impronta has again conducted a thorough review of the service and re-analysed the possible weaknesses of the validation process in the service call, including additional measures in version R11."}], "value": "The vulnerabilities were fixed by the Impronta team in version 10.cks, released in November 2022. Following INCIBE's notification of the vulnerability, Impronta has again conducted a thorough review of the service and re-analysed the possible weaknesses of the validation process in the service call, including additional measures in version R11."}], "source": {"discovery": "EXTERNAL"}, "title": "IDOR vulnerability in Janto Ticketing Software", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4538", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T17:25:50.417319Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:impronta:janto_ticketing_system:*:*:*:*:*:*:*:*"], "vendor": "impronta", "product": "janto_ticketing_system", "versions": [{"status": "affected", "version": "4.3r10"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:56:30.333Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:40:47.514Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto-ticketing-software", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto-ticketing-software", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:40:47.514Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4538", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T17:25:50.417319Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:impronta:janto_ticketing_system:*:*:*:*:*:*:*:*"], "vendor": "impronta", "product": "janto_ticketing_system", "versions": [{"status": "affected", "version": "4.3r10"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T17:27:09.465Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "IDOR vulnerability in Janto Ticketing Software", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Alejandro Amor\u00edn Ni\u00f1o"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Impronta", "product": "Janto Ticketing Software", "versions": [{"status": "affected", "version": "4.3r10.cks"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerabilities were fixed by the Impronta team in version 10.cks, released in November 2022. Following INCIBE's notification of the vulnerability, Impronta has again conducted a thorough review of the service and re-analysed the possible weaknesses of the validation process in the service call, including additional measures in version R11.", "supportingMedia": [{"type": "text/html", "value": "The vulnerabilities were fixed by the Impronta team in version 10.cks, released in November 2022. Following INCIBE's notification of the vulnerability, Impronta has again conducted a thorough review of the service and re-analysed the possible weaknesses of the validation process in the service call, including additional measures in version R11.", "base64": false}]}], "datePublic": "2024-05-06T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto-ticketing-software"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain a user's event ticket by creating a specific request with the ticket reference ID, leading to the exposure of sensitive user data.", "supportingMedia": [{"type": "text/html", "value": "IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain a user's event ticket by creating a specific request with the ticket reference ID, leading to the exposure of sensitive user data.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-05-07T11:35:47.621Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4538", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:40:47.514Z", "dateReserved": "2024-05-06T09:57:42.029Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-05-07T11:35:47.621Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain a user's event ticket by creating a specific request with the ticket reference ID, leading to the exposure of sensitive user data."}, {"lang": "es", "value": "Vulnerabilidad IDOR en Janto Ticketing Software que afecta a la versi\u00f3n 4.3r10. Esta vulnerabilidad podr\u00eda permitir que un usuario remoto obtenga una entrada para un evento mediante la creaci\u00f3n de una solicitud espec\u00edfica con el ID de referencia de la entrada, lo que provocar\u00eda la exposici\u00f3n de datos confidenciales del usuario."}], "id": "CVE-2024-4538", "lastModified": "2024-05-07T13:39:32.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-05-07T12:15:10.030", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto-ticketing-software"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}