CVE-2024-54818
Published: 08 January 2025
Description
Adversaries may attempt to get a listing of local system accounts.
Security Summary
CVE-2024-54818 is an Incorrect Access Control vulnerability (CWE-281) in SourceCodester Computer Laboratory Management System 1.0, accessible via the /php-lms/admin/?page=user/list endpoint. Published on 2025-01-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.
An attacker with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) without changing scope (S:U), potentially allowing unauthorized actions on user management functions.
Advisories and references include vulnerability research details at https://github.com/CloseC4ll/vulnerability-research/tree/main/CVE-2024-54818 and general guidance on preventing access control vulnerabilities from PortSwigger at https://portswigger.net/web-security/access-control#how-to-prevent-access-control-vulnerabilities. No specific patches are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect access control in public-facing web app (/php-lms/admin/?page=user/list) enables exploitation for initial access (T1190) and unauthorized local account discovery (T1087.001).