CVE-2024-11216
Published: 05 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2024-11216 is an Authorization Bypass Through User-Controlled Key and Exposure of Private Personal Information to an Unauthorized Actor vulnerability in PozitifIK Pik Online. It affects Pik Online versions before 3.1.5 and enables account footprinting and session hijacking. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) and maps to CWE-359 (Exposure of Private Information to an Unauthorized Actor) and CWE-639 (Authorization Bypass Through User-Controlled Key). It was published on 2025-03-05.
An attacker requires low privileges (PR:L) to exploit this issue remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows high-impact confidentiality loss (C:H) through exposure of private personal information to unauthorized actors, alongside low-impact integrity (I:L) and availability (A:L) effects, facilitating account footprinting and session hijacking within the affected scope (S:U).
The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0052 provides further details. Affected systems should be updated to Pik Online version 3.1.5 or later to mitigate the issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authorization bypass via user-controlled key and exposure of private information directly enables account footprinting (T1087 Account Discovery) and session hijacking via stolen web session data (T1539 Steal Web Session Cookie).