Cyber Resilience

CVE-2024-39033

High

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0017 38.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39033 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Pastebin (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-39033 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Newgensoft OmniDocs version 11.0_SP1_03_006. The issue resides in the getuserproperty function, which improperly exposes users' configuration data and personally identifiable information (PII) due to inadequate access controls on object references. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily from confidentiality impacts.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By manipulating object references in requests to the getuserproperty function, they can retrieve sensitive configuration details and PII belonging to other users, achieving unauthorized data disclosure without affecting system integrity or availability.

Mitigation guidance and additional details are available in the referenced advisory at https://pastebin.com/SHExsfh6.

EU & UK References

Vulnerability details

In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1087 Account Discovery Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
Why these techniques?

IDOR enables remote unauthenticated exploitation of the web app for unauthorized access to user config/PII data, directly mapping to T1190 (public-facing app exploitation) and T1087 (account discovery via exposed properties).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-43890Shared CWE-639
CVE-2026-25563Shared CWE-639
CVE-2024-8261Shared CWE-639
CVE-2026-3321Shared CWE-639

Affected Assets

Pastebin
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations in the getuserproperty function, directly preventing IDOR exploitation and unauthorized access to other users' configuration and PII.

prevent

AC-24 mandates explicit access control decisions for system resources like user properties, mitigating manipulation of object references to steal sensitive data.

prevent

SI-10 validates information inputs such as object references to the getuserproperty function, reducing the risk of IDOR by ensuring references align with authorized access.

References