CVE-2024-12048

Name of the Vulnerable Software and Affected Versions transformeroptimus/superagi version v0.0.14

Description An IDOR (Insecure Direct Object Reference) vulnerability exists, allowing attackers to view, edit, and delete other users' information without proper authorization. The application fails to properly check authorization for multiple API endpoints, including but not limited to "/get/project/{project id}", "/get/schedule data/{agent id}", "/delete/{agent id}", "/get/organisation/{organisation id}", and "/get/user/{user id}".

Recommendations To resolve the issue, update to a version that properly checks authorization for all API endpoints. As a temporary workaround, consider restricting access to the affected API endpoints, such as "/get/project/{project id}", "/get/schedule data/{agent id}", "/delete/{agent id}", "/get/organisation/{organisation id}", and "/get/user/{user id}", until a patch is available. Restrict access to sensitive user information to minimize the risk of exploitation.