CVE-2024-45877

Name of the Vulnerable Software and Affected Versions baltic-it TOPqw Webportal version 1.35.283.2

Description The issue is related to Incorrect Access Control in the User Management function, specifically in the /Apps/TOPqw/BenutzerManagement.aspx endpoint. This allows a low-privileged user to access all modules in the web portal, view and manipulate information and permissions of other users, lock other users or unlock their own account, change the password of other users, create new users or delete existing users, and view, manipulate, and delete reference data.

Recommendations For version 1.35.283.2, consider restricting access to the /Apps/TOPqw/BenutzerManagement.aspx endpoint until a patch is available. As a temporary workaround, limit the privileges of low-privileged users to prevent them from accessing and manipulating sensitive information. At the moment, there is no information about a newer version that contains a fix for this issue.