SB2024070333 - Multiple vulnerabilities in Talya Informatics Travel APPS
Published: July 3, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2024-1153)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. An attacker with physical access can bypass implemented security restrictions and obtain sensitive information
2) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-1107)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to authorization bypass through user-controlled key. A remote user can send a specially crafted request and bypass authorization.
Remediation
Install update from vendor's website.