CVE-2024-39033
Published: 06 February 2025
Summary
CVE-2024-39033 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Pastebin (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-39033 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Newgensoft OmniDocs version 11.0_SP1_03_006. The issue resides in the getuserproperty function, which improperly exposes users' configuration data and personally identifiable information (PII) due to inadequate access controls on object references. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily from confidentiality impacts.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By manipulating object references in requests to the getuserproperty function, they can retrieve sensitive configuration details and PII belonging to other users, achieving unauthorized data disclosure without affecting system integrity or availability.
Mitigation guidance and additional details are available in the referenced advisory at https://pastebin.com/SHExsfh6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53893
Vulnerability details
In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR enables remote unauthenticated exploitation of the web app for unauthorized access to user config/PII data, directly mapping to T1190 (public-facing app exploitation) and T1087 (account discovery via exposed properties).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations in the getuserproperty function, directly preventing IDOR exploitation and unauthorized access to other users' configuration and PII.
AC-24 mandates explicit access control decisions for system resources like user properties, mitigating manipulation of object references to steal sensitive data.
SI-10 validates information inputs such as object references to the getuserproperty function, reducing the risk of IDOR by ensuring references align with authorized access.