CVE-2024-56883
Published: 18 February 2025
Description
Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the "id" parameter is replaced with the ID of another user.
Security Summary
CVE-2024-56883 is an Incorrect Access Control vulnerability (CWE-284) in Sage DPW versions prior to 2024_12_001. The flaw arises because role-based access controls are not consistently enforced on the server side, allowing unauthorized actions despite UI restrictions.
Low-privileged users with employee role privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By capturing a valid course creation request and modifying the "id" parameter to replace their own user ID with that of another employee, attackers can create external courses on behalf of other users. This results in high confidentiality and integrity impacts, as reflected in the CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Advisories recommend updating to Sage DPW version 2024_12_001 or later to mitigate the issue. Additional details are available in the writeup at https://cves.at/posts/cve-cve-2024-56883/writeup/.
Details
- CWE(s)