IDOR vulnerability in AbsysNet

Posted date 18/11/2024
Identificador
INCIBE-2024-0567
Importance
4 - High
Affected Resources

AbsysNet, version 2.3.1.

Description

INCIBE has coordinated the publication of 1 high severity vulnerability affecting AbsysNet, an integrated library management system, which has been discovered by Jordi Forès S2Grupo.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-11318: CVSS v3.1: 7.5 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-639.
Solution

The vulnerability has been fixed by the AbsysNet team, by updating the mOpac binaries in versions 2.3.1 and 2.4.

Detail

CVE-2024-11318: an IDOR (Insecure Direct Object Reference) vulnerability has been discovered in AbsysNet, affecting version 2.3.1. This vulnerability could allow a remote attacker to obtain the session of an unauthenticated user by brute-force attacking the session identifier on the "/cgi-bin/ocap/" endpoint.

References list