This vulnerability exists in the Wave 2.0 due to missing authorization check on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter “user_id” through API request URLs which could lead to unauthorized creation, modification and deletion of alerts belonging to other user accounts.
History

Fri, 08 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
First Time appeared 63moons
63moons aero
63moons wave 2.0
CPEs cpe:2.3:a:63moons:aero:*:*:*:*:*:*:*:*
cpe:2.3:a:63moons:wave_2.0:*:*:*:*:*:*:*:*
Vendors & Products 63moons
63moons aero
63moons wave 2.0
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}


Mon, 04 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 04 Nov 2024 12:45:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in the Wave 2.0 due to missing authorization check on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter “user_id” through API request URLs which could lead to unauthorized creation, modification and deletion of alerts belonging to other user accounts.
Title Improper Access Control Vulnerability in Wave 2.0
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published: 2024-11-04T12:20:18.995Z

Updated: 2024-11-04T15:02:42.823Z

Reserved: 2024-10-29T12:55:06.456Z

Link: CVE-2024-51559

cve-icon Vulnrichment

Updated: 2024-11-04T15:02:38.661Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-04T13:17:05.650

Modified: 2024-11-08T15:19:03.367

Link: CVE-2024-51559

cve-icon Redhat

No data.