CVE-2024-27730
Published: 15 August 2024
Summary
CVE-2024-27730 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Friendica Friendica. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-27730 is an insecure permissions vulnerability, categorized under CWE-639, that affects Friendica version 2023.12. The flaw resides in the calendar event feature and is triggered through the cid parameter, enabling unauthorized access that can result in disclosure of sensitive information or execution of arbitrary code. The issue carries a CVSS 3.1 score of 9.8, reflecting a network-accessible attack with no required authentication or user interaction.
A remote attacker can exploit the vulnerability without credentials by supplying a crafted cid value to the calendar endpoint, thereby bypassing authorization checks to read protected data or run arbitrary code on the server.
The referenced GitHub pull request 13927 contains the corrective changes merged into the Friendica codebase, while the accompanying disclosure post at leo.oliver.nz details the discovery and responsible reporting process for this and related issues. The EPSS score has remained flat at 0.0559 with no material increase since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24924
Vulnerability details
Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.