IDOR vulnerability in AbsysNet
AbsysNet, version 2.3.1.
INCIBE has coordinated the publication of 1 high severity vulnerability affecting AbsysNet, an integrated library management system, which has been discovered by Jordi Forès S2Grupo.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-11318: CVSS v3.1: 7.5 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-639.
The vulnerability has been fixed by the AbsysNet team, by updating the mOpac binaries in versions 2.3.1 and 2.4.
CVE-2024-11318: an IDOR (Insecure Direct Object Reference) vulnerability has been discovered in AbsysNet, affecting version 2.3.1. This vulnerability could allow a remote attacker to obtain the session of an unauthenticated user by brute-force attacking the session identifier on the "/cgi-bin/ocap/" endpoint.