Skip to main content

CVE-2024-55585

| EUVDEUVD-2024-54657 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2025-06-07 cve@mitre.org
9.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/RE:M/U:Red

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/RE:M/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
P

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:13 euvd
EUVD-2024-54657
Analysis Generated
Mar 14, 2026 - 19:13 vuln.today
CVE Published
Jun 07, 2025 - 19:15 nvd
CRITICAL 9.0

DescriptionCVE.org

In the moPS App through 1.8.618, all users can access administrative API endpoints without additional authentication, resulting in unrestricted read and write access, as demonstrated by /api/v1/users/resetpassword.

AnalysisAI

moPS App through version 1.8.618 contains a critical authentication bypass vulnerability (CVE-2024-55585, CVSS 9.0) that allows all authenticated users to access administrative API endpoints without proper authorization checks, enabling unrestricted read and write operations including password resets. This vulnerability is particularly severe as it requires only low privileges (PR:L) to exploit via network access, and the /api/v1/users/resetpassword endpoint demonstrates direct administrative function access. No KEV or active exploitation data is referenced, but the high CVSS score and authentication bypass nature suggest significant real-world risk if exploited.

Technical ContextAI

The vulnerability stems from CWE-306 (Missing Authentication Check), where administrative API endpoints lack proper authorization validation despite existing user authentication. The moPS application's REST API architecture implements user authentication at the login layer but fails to enforce role-based access control (RBAC) or capability-based security checks on sensitive administrative endpoints. The /api/v1/users/resetpassword endpoint exemplifies this flaw—while a user must be authenticated to reach the API (PR:L requirement), the application does not verify whether that user holds administrative privileges before executing administrative operations. This represents a classic privilege escalation vulnerability where authenticated users can perform actions reserved for administrators, likely due to missing authorization middleware or access control lists on these endpoints.

RemediationAI

Immediate actions: (1) Upgrade moPS App to a patched version released after 1.8.618 (contact vendor for specific patched version number); (2) As interim mitigation pending patch deployment, implement network-level access controls restricting API endpoint access to users with confirmed administrative roles, and monitor /api/v1/users/resetpassword and similar administrative endpoints for unauthorized access attempts; (3) Audit recent password reset activities and user account modifications to detect potential exploitation; (4) Implement Web Application Firewall (WAF) rules to validate that only authenticated administrative users access /api/v1/* administrative endpoints; (5) Review and strengthen authorization checks across all API endpoints, ensuring every endpoint validates user role/permissions before executing privileged operations; (6) Enable detailed API access logging to track exploitation attempts. Vendor should release a patched version implementing proper authorization middleware/RBAC enforcement on all administrative endpoints.

Share

CVE-2024-55585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy