EUVD-2024-54657CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/RE:M/U:Red
Lifecycle Timeline
3Description
In the moPS App through 1.8.618, all users can access administrative API endpoints without additional authentication, resulting in unrestricted read and write access, as demonstrated by /api/v1/users/resetpassword.
Analysis
moPS App through version 1.8.618 contains a critical authentication bypass vulnerability (CVE-2024-55585, CVSS 9.0) that allows all authenticated users to access administrative API endpoints without proper authorization checks, enabling unrestricted read and write operations including password resets. This vulnerability is particularly severe as it requires only low privileges (PR:L) to exploit via network access, and the /api/v1/users/resetpassword endpoint demonstrates direct administrative function access. No KEV or active exploitation data is referenced, but the high CVSS score and authentication bypass nature suggest significant real-world risk if exploited.
Technical Context
The vulnerability stems from CWE-306 (Missing Authentication Check), where administrative API endpoints lack proper authorization validation despite existing user authentication. The moPS application's REST API architecture implements user authentication at the login layer but fails to enforce role-based access control (RBAC) or capability-based security checks on sensitive administrative endpoints. The /api/v1/users/resetpassword endpoint exemplifies this flaw—while a user must be authenticated to reach the API (PR:L requirement), the application does not verify whether that user holds administrative privileges before executing administrative operations. This represents a classic privilege escalation vulnerability where authenticated users can perform actions reserved for administrators, likely due to missing authorization middleware or access control lists on these endpoints.
Affected Products
moPS App versions up to and including 1.8.618. CPE data indicates the affected component is the moPS web application; the specific vendor and full CPE identifier would be cpe:2.3:a:*:mops:<=1.8.618:*:*:*:*:*:*:* (vendor name not specified in provided data). The vulnerability affects all installations of moPS App running version 1.8.618 or earlier. Patch availability and version numbers indicating fixed versions are not specified in the provided references; vendor should be contacted or monitored for security advisories indicating patched versions (likely 1.8.619 or later).
Remediation
Immediate actions: (1) Upgrade moPS App to a patched version released after 1.8.618 (contact vendor for specific patched version number); (2) As interim mitigation pending patch deployment, implement network-level access controls restricting API endpoint access to users with confirmed administrative roles, and monitor /api/v1/users/resetpassword and similar administrative endpoints for unauthorized access attempts; (3) Audit recent password reset activities and user account modifications to detect potential exploitation; (4) Implement Web Application Firewall (WAF) rules to validate that only authenticated administrative users access /api/v1/* administrative endpoints; (5) Review and strengthen authorization checks across all API endpoints, ensuring every endpoint validates user role/permissions before executing privileged operations; (6) Enable detailed API access logging to track exploitation attempts. Vendor should release a patched version implementing proper authorization middleware/RBAC enforcement on all administrative endpoints.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today