CVE-2024-56889
Published: 06 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2024-56889 is an incorrect access control vulnerability in the /admin/m_delete.php endpoint of CodeAstro Complaint Management System version 1.0. Published on 2025-02-06, it enables unauthorized attackers to arbitrarily delete complaints by modifying the id parameter. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-284 (Improper Access Control).
The vulnerability is exploitable remotely over the network with low attack complexity, requiring no authentication privileges, no user interaction, and maintaining unchanged impact scope. Successful exploitation results in high integrity impact through unauthorized deletion of complaints, without affecting confidentiality or availability.
Mitigation details are available in the referenced advisory at https://github.com/vigneshr232/CVE-2024-56889/blob/main/CVE-2024-56889.md.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an access control flaw in a public-facing web application endpoint allowing unauthorized arbitrary deletion of stored data (complaints), enabling T1190 (Exploit Public-Facing Application) and T1565.001 (Stored Data Manipulation).