CVE-2024-50672

Name of the Vulnerable Software and Affected Versions: Adapt Learning Adapt Authoring Tool versions <= 0.11.3

Description: A NoSQL injection issue allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. This occurs due to insufficient validation of user input used as a query in Mongoose's find() function, enabling a full takeover of the administrator account. Attackers can then upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application.

Recommendations: For Adapt Learning Adapt Authoring Tool versions <= 0.11.3, update to a version greater than 0.11.3 to resolve the issue. As a temporary workaround, consider restricting access to the "Reset password" feature until a patch is available. Additionally, restrict the ability to upload custom plugins to minimize the risk of remote code execution.