CVE-2024-1145 - OpenCVE

User enumeration vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow a remote user to retrieve all valid users registered in the application just by looking at the request response.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-alma-devklan-blog

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-03-19T11:35:46.187Z

Updated: 2024-03-19T11:35:46.187Z

Reserved: 2024-02-01T08:39:00.508Z

Link: CVE-2024-1145

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-03-19T12:15:08.177

Modified: 2024-03-19T13:26:46.000

Link: CVE-2024-1145

JSON object: View

Redhat Information

No data.

CWE

CWE-204

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-1145", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-02-01T08:39:00.508Z", "datePublished": "2024-03-19T11:35:46.187Z", "dateUpdated": "2024-03-19T11:35:46.187Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Alma Blog", "vendor": "Devklan", "versions": [{"lessThanOrEqual": "2.1.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya"}], "datePublic": "2024-03-19T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "User enumeration vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow a remote user to retrieve all valid users registered in the application just by looking at the request response."}], "value": "User enumeration vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow a remote user to retrieve all valid users registered in the application just by looking at the request response."}], "impacts": [{"capecId": "CAPEC-541", "descriptions": [{"lang": "en", "value": "CAPEC-541 Application Fingerprinting"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-03-19T11:35:46.187Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-alma-devklan-blog"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade Alma Blog to version 2.2."}], "value": "Upgrade Alma Blog to version 2.2."}], "source": {"discovery": "EXTERNAL"}, "title": "Observable Response Discrepancy at Alma Devklan Blog", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}