CVE-2024-50633

CVE-2024-50633 is a Broken Object Level Authorization (BOLA) vulnerability, mapped to CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor), affecting Indico versions through 3.3.5. The issue resides in the /api/principals component, where attackers can send a crafted POST request to read information about user accounts.

Any network-accessible attacker with no privileges (PR:N) can exploit this by crafting and submitting the POST request to the vulnerable endpoint, potentially retrieving details about other users. However, the CVSS v3.1 base score is 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N), indicating no measurable impact on confidentiality, integrity, or availability. The vulnerability is disputed by the supplier, who states that the product intentionally allows all users to retrieve certain information about other user accounts, with no restrictions to privileged roles like event organizers.

Advisories are limited to GitHub repositories at https://github.com/cetinpy/CVE-2024-50633 and https://github.com/cetinpy/CVE-2024-50633/issues/1, which document the finding but provide no specific patch, workaround, or mitigation details beyond the ongoing dispute. Published on 2025-01-16, no real-world exploitation has been reported.