PT-2024-37547 · Google · Google Calendar
Nadim Zubidat
·
Published
2024-09-05
·
Updated
2024-09-12
·
CVE-2024-6332
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Amelia Premium versions up to 7.7
Amelia Lite versions up to 1.2.3
Description
The issue is related to a missing capability check on the
ameliaButtonCommand function, allowing unauthenticated attackers to access employee calendar details. In the premium version, this also includes access to Google Calendar OAuth tokens.Recommendations
For Amelia Premium versions up to 7.7, update to a version that includes a fix for the missing capability check on the
ameliaButtonCommand function.
For Amelia Lite versions up to 1.2.3, update to a version that includes a fix for the missing capability check on the ameliaButtonCommand function.
As a temporary workaround, consider disabling the ameliaButtonCommand function until a patch is available.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Google Calendar