CVE-2024-55186

Name of the Vulnerable Software and Affected Versions oqtane Framework version 6.0.0

Description An IDOR (Insecure Direct Object Reference) issue exists, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

Recommendations For oqtane Framework version 6.0.0, consider restricting access to the inbox messages feature until a patch is available, or implement additional validation to ensure that users can only access their own inbox messages. As a temporary workaround, avoid using the notification ID in the affected API endpoint until the issue is resolved.