CVE-2024-56883

Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the "id" parameter is replaced with the ID of another user.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cves.at/posts/cve-cve-2024-56883/writeup/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sagedpw:sage_dpw:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-02-18 18:15

Updated : 2025-09-25 13:27

NVD link : CVE-2024-56883

Mitre link : CVE-2024-56883

CVE.ORG link : CVE-2024-56883

JSON object : View

Products Affected

sagedpw

sage_dpw

CWE

CWE-284

Improper Access Control

{"id": "CVE-2024-56883", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-02-18T18:15:27.287", "references": [{"url": "https://cves.at/posts/cve-cve-2024-56883/writeup/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the \"id\" parameter is replaced with the ID of another user."}, {"lang": "es", "value": "SAGE DPW antes de 2024_12_001 es vulnerable al control de acceso incorrecto. Los controles de acceso basados ??en roles implementados no siempre se aplican en el lado del servidor. Los usuarios de SAGE de bajo privilegio con permisos de roles de empleados pueden crear cursos externos para otros empleados, a pesar de que no tienen la opci\u00f3n de hacerlo en la interfaz de usuario. Para hacer esto, una solicitud v\u00e1lida para crear un curso simplemente debe modificarse, de modo que la ID de usuario actual en el par\u00e1metro \"ID\" se reemplace con la ID de otro usuario."}], "lastModified": "2025-09-25T13:27:35.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sagedpw:sage_dpw:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E67C2DAB-297B-483F-9B3D-972446393841", "versionEndExcluding": "2024_12_001"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}