CVE-2024-36108

Name of the Vulnerable Software and Affected Versions casgate versions (affected versions not specified)

Description The issue allows a remote unauthenticated attacker to obtain sensitive information via a GET request to an API endpoint. An attacker could use the id parameter of GET requests with the value anonymous/ anonymous to bypass authorization on certain API endpoints. Successful exploitation could lead to account takeover, privilege escalation, or provide the attacker with credentials to other services.

Recommendations As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Users are advised to upgrade to a newer version once it is released, as there are no known workarounds for this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.