CVE-2024-53355

Name of the Vulnerable Software and Affected Versions EasyVirt DCScope versions 8.6.0 and earlier EasyVirt CO2Scope versions 1.3.0 and earlier

Description The issue allows remote authenticated attackers with low privileges to perform various unauthorized actions. This includes adding an admin user via the "/api/user/addalias" route, modifying a user via the "/api/user/updatealias" route, deleting users via the "/api/user/delalias" route, and getting users via the "/api/user/aliases" route. Additionally, attackers can add a root group via the "/api/user/adduser" route, modify a group via the "/api/user/updateuser" route, delete a group via the "/api/user/deluser" route, and get groups via the "/api/user/users" route. They can also add an admin role via the "/api/user/addrole" route, modify a role via the "/api/user/updaterole" route, delete a role via the "/api/user/delrole" route, and get roles via the "/api/user/roles" route.

Recommendations For EasyVirt DCScope versions 8.6.0 and earlier, update to a version later than 8.6.0 to resolve the issue. For EasyVirt CO2Scope versions 1.3.0 and earlier, update to a version later than 1.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/api/user/addalias", "/api/user/updatealias", "/api/user/delalias", "/api/user/aliases", "/api/user/adduser", "/api/user/updateuser", "/api/user/deluser", "/api/user/users", "/api/user/addrole", "/api/user/updaterole", "/api/user/delrole", and "/api/user/roles", until a patch is available.