CVE-2024-57190

Name of the Vulnerable Software and Affected Versions Erxes versions prior to 1.6.1

Description The issue is related to Incorrect Access Control, allowing an attacker to bypass authentication. This can be achieved by providing a "User" HTTP header with any user, enabling access to any GraphQL endpoint.

Recommendations For versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to GraphQL endpoints to minimize the risk of exploitation. Avoid relying solely on the "User" HTTP header for authentication until the issue is resolved.