Cyber Resilience

CVE-2024-44313

HighPublic PoC

Published: 18 March 2025

Published
18 March 2025
Modified
02 April 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0124 79.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-44313 is a high-severity Improper Access Control (CWE-284) vulnerability in Tastyigniter Tastyigniter. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

TastyIgniter version 3.7.6 is affected by CVE-2024-44313, an Incorrect Access Control vulnerability (CWE-284) in the invoice() function within the Orders.php file located at app/admin/controllers/Orders.php. This flaw arises from missing permission checks, enabling unauthorized access to sensitive invoice generation functionality. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts over the network.

An attacker with low privileges (PR:L), such as a registered user with basic access, can exploit this vulnerability remotely with low complexity and no user interaction required. By invoking the invoice() function without proper authorization, the attacker gains unauthorized access to other users' invoices, allowing them to view sensitive order details and generate fraudulent or manipulated invoice documents. This compromises high levels of confidentiality and integrity but does not affect availability.

References for mitigation include the vulnerable source code in the TastyIgniter GitHub repository at https://github.com/tastyigniter/TastyIgniter/blob/3.x/app/admin/controllers/Orders.php and a detailed disclosure on Medium at https://medium.com/@cnetsec/cve-2024-44313-incorrect-access-control-in-tastyigniter-3-7-6-01a73c548b74. Security practitioners should review these for implementation of permission checks or upgrades beyond version 3.7.6.

EU & UK References

Vulnerability details

TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the invoice() function within Orders.php which allows unauthorized users to access and generate invoices due to missing permission checks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an access control flaw (missing permission checks) in a web application's invoice generation function, allowing a low-privileged authenticated user to access restricted sensitive data and functionality. This directly enables exploitation of the public-facing application (T1190) and exploitation for privilege escalation to unauthorized data access and manipulation (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2025-57130Shared CWE-284
CVE-2024-53348Shared CWE-284
CVE-2025-20229Shared CWE-284
CVE-2026-24300Shared CWE-284
CVE-2026-20750Shared CWE-284
CVE-2025-2280Shared CWE-284
CVE-2025-70064Shared CWE-284

Affected Assets

tastyigniter
tastyigniter
3.7.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for access to resources, directly addressing the missing permission checks in the invoice() function that permitted unauthorized invoice access and generation.

prevent

AC-6 enforces least privilege principles, preventing low-privilege users (PR:L) from accessing sensitive admin functions like invoice generation without proper permissions.

prevent

AC-24 mandates making and acting on access control decisions, mitigating the absence of authorization logic in the vulnerable Orders.php invoice() function.

References