CVE-2024-25635

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-25635
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25635.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-25635
Related
  • GHSA-ffr5-g3qg-gp4f
Published
2024-02-19T20:15:45Z
Modified
2025-01-08T15:48:38.779024Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the http://192.168.26.128:8080/admin/api/users/<user_id> endpoint, which exposes the details of the provided user ID. This may also expose the API KEY in the username of the user. Version 2.0-M4-2402 fixes this issue.

References

Affected packages

Git / github.com/alfio-event/alf.io

Affected ranges

Type
GIT
Repo
https://github.com/alfio-event/alf.io
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.10
1.10-RC1
1.10-RC2
1.10.1
1.11
1.12
1.12-RC1
1.12-RC2
1.12-RC3
1.12-RC4
1.13
1.13-RC1
1.13-RC2
1.13-RC3
1.14
1.14-RC1
1.14-RC2
1.14.1
1.4
1.4-RC2
1.4.1
1.5
1.6
1.7
1.8
1.8-RC1
1.8-RC2
1.9
1.9.1

2.*

2.0-M0
2.0-M1
2.0-M1-1906
2.0-M1-1906.1
2.0-M2
2.0-M3
2.0-M4
2.0-M4-2204
2.0-M4-2301
2.0-M4-2304
2.0-M4.RC1
2.0-M4.RC2
2.0-M4.RC3
2.0-M4.RC4

alfio-1.*

alfio-1.0
alfio-1.1
alfio-1.2
alfio-1.3
alfio-1.3-beta1
alfio-1.3.1
alfio-1.3.2
alfio-1.3.3

v1.*

v1.0-pre-rename
v1.0-pre-rename-v2
v1.0-pre-rename-v3