CVE-2024-39033

High

Published: 06 February 2025

Published

06 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0017 38.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen.

Security Summary

CVE-2024-39033 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Newgensoft OmniDocs version 11.0_SP1_03_006. The issue resides in the getuserproperty function, which improperly exposes users' configuration data and personally identifiable information (PII) due to inadequate access controls on object references. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily from confidentiality impacts.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By manipulating object references in requests to the getuserproperty function, they can retrieve sensitive configuration details and PII belonging to other users, achieving unauthorized data disclosure without affecting system integrity or availability.

Mitigation guidance and additional details are available in the referenced advisory at https://pastebin.com/SHExsfh6.

Details

CWE(s): CWE-639

References

https://pastebin.com/SHExsfh6
cve@mitre.org