CVE-2024-12048

An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but are not limited to /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id}, and /get/user/{user_id}.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/6def3e3a-c443-44bb-b20e-3e69b48f37dc	Exploit Third Party Advisory
https://huntr.com/bounties/6def3e3a-c443-44bb-b20e-3e69b48f37dc	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:superagi:superagi:0.0.14:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-07-18 19:58

NVD link : CVE-2024-12048

Mitre link : CVE-2024-12048

CVE.ORG link : CVE-2024-12048

JSON object : View

Products Affected

superagi

superagi

CWE

CWE-304

Missing Critical Step in Authentication

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2024-12048", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:26.503", "references": [{"url": "https://huntr.com/bounties/6def3e3a-c443-44bb-b20e-3e69b48f37dc", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/6def3e3a-c443-44bb-b20e-3e69b48f37dc", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-304"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but are not limited to /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id}, and /get/user/{user_id}."}, {"lang": "es", "value": "Existe una vulnerabilidad IDOR (Referencia Directa a Objetos Insegura) en transformeroptimus/superagi versi\u00f3n v0.0.14. La aplicaci\u00f3n no verifica correctamente la autorizaci\u00f3n de varios endpoints de API, lo que permite a los atacantes ver, editar y eliminar la informaci\u00f3n de otros usuarios sin la debida autorizaci\u00f3n. Los endpoints afectados incluyen, entre otros, /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id} y /get/user/{user_id}."}], "lastModified": "2025-07-18T19:58:36.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:superagi:superagi:0.0.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C63CFCE-4FB2-47EC-A731-8C17458675D3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}