CVE-2024-12651

CVE-2024-12651 is an Exposed Dangerous Method or Function vulnerability in the PTT Inc. HGS Mobile App that allows manipulation of user-controlled variables. This issue affects versions of the HGS Mobile App prior to 6.5.0. The vulnerability is classified under CWE-749 and carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality impact across scope.

A low-privileged user (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality breaches, such as unauthorized access to sensitive data (C:H), alongside low-impact integrity modifications (I:L), while availability remains unaffected (A:N). The changed scope (S:C) suggests the attack can affect resources beyond the vulnerable component.

Mitigation is addressed in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0034, with upgrading to HGS Mobile App version 6.5.0 or later eliminating the vulnerability in affected versions. Security practitioners should verify patch deployment and review access controls for low-privileged accounts interacting with the app.