CVE-2024-57032
Published: 17 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-57032 is an incorrect access control vulnerability in WeGIA versions prior to 3.2.0, specifically within the controle/control.php component. The flaw arises because the application does not properly validate the value provided in the 'senha_antiga' (old password) field during password change operations. This allows arbitrary password modifications without knowledge of the existing password. The issue is associated with CWE-863 (Incorrect Authorization) and CWE-284 (Improper Access Control), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting a crafted request to controle/control.php with any value in the senha_antiga field, attackers can change the password of any user account, potentially compromising administrative privileges and leading to high impacts on confidentiality, integrity, and availability.
Mitigation involves upgrading to WeGIA 3.2.0 or later, as versions prior to this release remain vulnerable. Further technical details and reproduction steps are documented in the vulnerability research repository at https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-57032, with additional information available on the official WeGIA site at https://www.wegia.org/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect access control in the password change functionality enables unauthorized account manipulation (T1098) by allowing password changes without validating the old password, exploited via a public-facing web application (T1190).