CVE-2024-56898
Published: 03 February 2025
Description
Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.
Security Summary
CVE-2024-56898 is a broken access control vulnerability affecting Geovision GV-ASWeb in versions v6.1.0.0 and lower. It enables low-privilege users to perform unauthorized actions, which can be exploited to escalate privileges as well as create, modify, or delete accounts. The vulnerability is classified under CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by low-privilege users (PR:L) over the network without requiring user interaction. Attackers with initial low-level access, such as standard authenticated users, can leverage the broken access controls to perform administrative actions, including privilege escalation and full account lifecycle management (creation, modification, deletion). This could allow compromise of the entire system by elevating to higher privileges.
Further details, including potential mitigation steps, are available in the advisory at https://github.com/DRAGOWN/CVE-2024-56898.
Details
- CWE(s)