CVE-2024-57604
Published: 12 February 2025
Description
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Security Summary
CVE-2024-57604 is a privilege escalation vulnerability affecting MaysWind ezBookkeeping version 0.7.0, specifically within the token component. The issue, classified under CWE-276, enables a remote attacker to elevate privileges. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
A remote attacker without prior privileges can exploit this vulnerability over the network with minimal complexity and no user interaction. Successful exploitation allows privilege escalation, potentially granting unauthorized access to sensitive functions or data within the affected ezBookkeeping instance, leading to high-level compromise of confidentiality, integrity, and availability.
Advisories and discussions are available in referenced sources, including a GitHub issue at https://github.com/mayswind/ezbookkeeping/issues/33 and additional details at https://hkohi.ca/vulnerability/2, which may provide further guidance on patches or mitigations. The vulnerability was published on 2025-02-12.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability lacks rate limiting on login and 2FA backup code endpoints, enabling remote brute force attacks to guess credentials and bypass authentication for account takeover and privilege escalation.