CVE-2024-11216

High

Published: 05 March 2025

Published

05 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

EPSS Score 0.0004 12.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11216 is a high-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Gov (inferred from references). Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Account Discovery (T1087) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to information and resources, directly preventing authorization bypass via user-controlled keys.

SI-10 Information Input Validation good match

prevent

Validates user-controlled inputs such as keys used in authorization decisions, blocking exploitation leading to private information exposure and session hijacking.

SI-2 Flaw Remediation good match

prevent

Identifies and remediates flaws like CVE-2024-11216 in Pik Online by applying vendor updates to version 3.1.5 or later.

MITRE ATT&CK Enterprise TechniquesAI

T1087 Account Discovery Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Authorization bypass via user-controlled key and exposure of private information directly enables account footprinting (T1087 Account Discovery) and session hijacking via stolen web session data (T1539 Steal Web Session Cookie).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Authorization Bypass Through User-Controlled Key, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in PozitifIK Pik Online allows Account Footprinting, Session Hijacking.This issue affects Pik Online: before 3.1.5.

Deeper analysisAI

CVE-2024-11216 is an Authorization Bypass Through User-Controlled Key and Exposure of Private Personal Information to an Unauthorized Actor vulnerability in PozitifIK Pik Online. It affects Pik Online versions before 3.1.5 and enables account footprinting and session hijacking. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) and maps to CWE-359 (Exposure of Private Information to an Unauthorized Actor) and CWE-639 (Authorization Bypass Through User-Controlled Key). It was published on 2025-03-05.

An attacker requires low privileges (PR:L) to exploit this issue remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows high-impact confidentiality loss (C:H) through exposure of private personal information to unauthorized actors, alongside low-impact integrity (I:L) and availability (A:L) effects, facilitating account footprinting and session hijacking within the affected scope (S:U).

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0052 provides further details. Affected systems should be updated to Pik Online version 3.1.5 or later to mitigate the issue.