CVE-2024-28345
Published: 10 April 2024
Summary
CVE-2024-28345 is a medium-severity an unspecified weakness vulnerability in Sipwise Next Generation Communication Platform. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25443
Vulnerability details
An issue discovered in Sipwise C5 NGCP Dashboard below mr11.5.1 allows a low privileged user to access the Journal endpoint by directly visit the URL.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control (CVE-2024-28345) enables low-privileged users to directly access the Journal endpoint via URL manipulation (IDOR), disclosing user account details (usernames, emails, roles) and audit logs of account changes, facilitating account discovery, permission groups discovery, and log enumeration.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.