CVE-2024-56883

Name of the Vulnerable Software and Affected Versions SAGE DPW versions prior to 2024 12 001

Description The issue concerns incorrect access control in SAGE DPW. The implemented role-based access controls are not always enforced on the server side. Low-privileged SAGE users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. This can be achieved by modifying a valid request to create a course, replacing the current user ID in the id parameter with the ID of another user.

Recommendations For versions prior to 2024 12 001, as a temporary workaround, consider restricting access to the course creation feature to minimize the risk of exploitation. Additionally, avoid using the id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.