CVE-2024-12123 - Vulnerability Details - OpenCVE

A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy. The ticket requester can be changed from the original requester to another user in the same application, which the application then accepts.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes

History

Wed, 04 Dec 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Dec 2024 03:45:00 +0000

Type	Values Removed	Values Added
Description		A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy. The ticket requester can be changed from the original requester to another user in the same application, which the application then accepts.
Title		Unauthorized Modification of Ticket Requester
Weaknesses		CWE-472 CWE-837
References		https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Gridware

Published: 2024-12-04T03:26:00.918Z

Updated: 2024-12-04T14:09:11.911Z

Reserved: 2024-12-03T23:13:54.977Z

Link: CVE-2024-12123

Vulnrichment

Updated: 2024-12-04T14:05:31.553Z

NVD

Status : Received

Published: 2024-12-04T04:15:04.430

Modified: 2024-12-04T04:15:04.430

Link: CVE-2024-12123

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12123", "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "state": "PUBLISHED", "assignerShortName": "Gridware", "dateReserved": "2024-12-03T23:13:54.977Z", "datePublished": "2024-12-04T03:26:00.918Z", "dateUpdated": "2024-12-04T14:09:11.911Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Issuetrak", "vendor": "Issuetrak", "versions": [{"status": "affected", "version": "Issuetrak 17.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Harrison Daley"}], "datePublic": "2024-12-03T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(252, 252, 252);\">A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. \n\nWhen an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.  The ticket requester can be changed from the original requester to another user in the same application, \nwhich the application then accepts.\n\n</span>"}], "value": "A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user.\u00a0\n\nWhen an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.\u00a0 The ticket requester can be changed from the original requester to another user in the same application, \nwhich the application then accepts."}], "impacts": [{"capecId": "CAPEC-162", "descriptions": [{"lang": "en", "value": "CAPEC-162 Manipulating Hidden Fields"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-472", "description": "CWE-472: External Control of Assumed-Immutable Web Parameter", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-837", "description": "CWE-837 Improper Enforcement of a Single, Unique Action", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "shortName": "Gridware", "dateUpdated": "2024-12-04T03:26:00.918Z"}, "references": [{"url": "https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Ensure the Issuetrak application is updated to version 17.2 or later."}], "value": "Ensure the Issuetrak application is updated to version 17.2 or later."}], "source": {"discovery": "UNKNOWN"}, "title": "Unauthorized Modification of Ticket Requester", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-04T14:05:29.170205Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T14:09:11.911Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-04T14:05:29.170205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T14:05:31.553Z"}}], "cna": {"title": "Unauthorized Modification of Ticket Requester", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Harrison Daley"}], "impacts": [{"capecId": "CAPEC-162", "descriptions": [{"lang": "en", "value": "CAPEC-162 Manipulating Hidden Fields"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Issuetrak", "product": "Issuetrak", "versions": [{"status": "affected", "version": "Issuetrak 17.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Ensure the Issuetrak application is updated to version 17.2 or later.", "supportingMedia": [{"type": "text/html", "value": "Ensure the Issuetrak application is updated to version 17.2 or later.", "base64": false}]}], "datePublic": "2024-12-03T08:00:00.000Z", "references": [{"url": "https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user.\u00a0\n\nWhen an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.\u00a0 The ticket requester can be changed from the original requester to another user in the same application, \nwhich the application then accepts.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(252, 252, 252);\">A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. \n\nWhen an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.  The ticket requester can be changed from the original requester to another user in the same application, \nwhich the application then accepts.\n\n</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-472", "description": "CWE-472: External Control of Assumed-Immutable Web Parameter"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-837", "description": "CWE-837 Improper Enforcement of a Single, Unique Action"}]}], "providerMetadata": {"orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "shortName": "Gridware", "dateUpdated": "2024-12-04T03:26:00.918Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12123", "state": "PUBLISHED", "dateUpdated": "2024-12-04T14:09:11.911Z", "dateReserved": "2024-12-03T23:13:54.977Z", "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "datePublished": "2024-12-04T03:26:00.918Z", "assignerShortName": "Gridware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user.\u00a0\n\nWhen an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.\u00a0 The ticket requester can be changed from the original requester to another user in the same application, \nwhich the application then accepts."}], "id": "CVE-2024-12123", "lastModified": "2024-12-04T04:15:04.430", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary"}]}, "published": "2024-12-04T04:15:04.430", "references": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "url": "https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes"}], "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-472"}, {"lang": "en", "value": "CWE-837"}], "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary"}]}