CVE-2024-53355

CVE-2024-53355 consists of multiple incorrect access control issues (CWE-281) in EasyVirt DCScope versions up to and including 8.6.0 and CO2Scope versions up to and including 1.3.0. These vulnerabilities enable unauthorized operations on user, group, and role management through specific API routes, including adding admin users via /api/user/addalias, modifying users via /api/user/updatealias, deleting users via /api/user/delalias, retrieving users via /api/user/aliases, adding root groups via /api/user/adduser, modifying groups via /api/user/updateuser, deleting groups via /api/user/deluser, retrieving groups via /api/user/users, adding admin roles via /api/user/addrole, modifying roles via /api/user/updaterole, deleting roles via /api/user/delrole, and retrieving roles via /api/user/roles.

Remote authenticated attackers with low privileges can exploit these issues over the network with low complexity and no user interaction required. Successful exploitation grants the ability to fully manipulate the user database, including creating admin accounts, altering privileges, and deleting entities, as well as similar control over groups and roles. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, potentially allowing privilege escalation to administrative control.

Advisories and additional details are documented at https://github.com/Elymaro/CVE/blob/main/EasyVirt/CVE-2024-53355.md.