PT-2024-32085 · Inroad · Inroad

Published

2024-09-30

Updated

2024-11-14

CVE-2024-46635

CVSS v3.1

5.9

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions INROAD versions prior to v202402060

Description The issue concerns the API endpoint "/AccountMaster/GetCurrentUserInfo" where attackers can access sensitive information by sending a crafted payload to the UserNameOrPhoneNumber parameter. This allows unauthorized access to sensitive data.

Recommendations For versions prior to v202402060, as a temporary workaround, consider restricting access to the "/AccountMaster/GetCurrentUserInfo" API endpoint until a patch is available. Avoid using the UserNameOrPhoneNumber parameter in this endpoint to minimize the risk of exploitation. Update to version v202402060 or later to resolve the issue.

Fix

Insecure Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-922

Related Identifiers

CVE-2024-46635

Affected Products

Inroad

PT-2024-32085 · Inroad · Inroad

CVE-2024-46635

Weakness Enumeration

Related Identifiers

Affected Products

References · 5