PT-2026-53931 · Cvat Ai · Cvat
George Chen
·
Publicado
2026-06-30
·
Atualizado
2026-06-30
·
CVE-2026-58373
CVSS v3.1
4.3
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check object permissions call on the parent id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Cvat