CVE-2024-50671

Name of the Vulnerable Software and Affected Versions: Adapt Learning Adapt Authoring Tool versions <= 0.11.3

Description: The issue is related to incorrect access control, allowing attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. This occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles, making it possible for attackers to disclose the email addresses of all users.

Recommendations: For Adapt Learning Adapt Authoring Tool versions <= 0.11.3, update to a version that fixes the permission verification logic flaw to prevent unintended access to restricted endpoints. As a temporary workaround, consider restricting access to the "Get users" feature to only Super Admin roles until a patch is available.