CVE-2024-9431

CVE-2024-9431 is an improper privilege management vulnerability (CWE-620) affecting version v0.0.14 of transformeroptimus/superagi. The flaw allows authenticated users to change the passwords of other users after logging into the system, potentially enabling account takeover. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An attacker with low-privilege access, such as a standard authenticated user, can exploit this vulnerability remotely over the network without requiring user interaction. By leveraging the improper privilege management, the attacker can reset passwords for higher-privilege accounts or other targets, achieving full account takeover and potentially escalating control over the system.

The primary advisory is available via the Huntr.com bounty report at https://huntr.com/bounties/9b33d7c1-ed0a-4f5b-a378-694570fd990b, which details the issue discovered in transformeroptimus/superagi v0.0.14. Security practitioners should consult this reference for guidance on patches, workarounds, or updated versions addressing the vulnerability.