CVE-2024-46310

Critical

Published: 13 January 2025

Published

13 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.8300 99.3th percentile

Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint

Security Summary

CVE-2024-46310 is an incorrect access control vulnerability affecting Cfx.re FXServer versions v9601 and earlier. The flaw exposes an API endpoint that permits unauthenticated users to read and modify arbitrary user data, stemming from CWE-281. This issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Attackers require no privileges or user interaction and can exploit the vulnerability remotely over the network with low complexity. Successful exploitation allows unauthenticated remote attackers to access, read, and alter sensitive user data stored on the server, potentially leading to data theft, account takeovers, or unauthorized modifications across affected FXServer instances.

For mitigation details, refer to advisories and resources at http://cfxre.com and https://github.com/PRX5Y/CVE-2024-46310.

Details

CWE(s): CWE-281

References

http://cfxre.com
cve@mitre.org
https://github.com/PRX5Y/CVE-2024-46310
cve@mitre.org