CVE-2024-44313
Published: 18 March 2025
Summary
CVE-2024-44313 is a high-severity Improper Access Control (CWE-284) vulnerability in Tastyigniter Tastyigniter. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
TastyIgniter version 3.7.6 is affected by CVE-2024-44313, an Incorrect Access Control vulnerability (CWE-284) in the invoice() function within the Orders.php file located at app/admin/controllers/Orders.php. This flaw arises from missing permission checks, enabling unauthorized access to sensitive invoice generation functionality. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts over the network.
An attacker with low privileges (PR:L), such as a registered user with basic access, can exploit this vulnerability remotely with low complexity and no user interaction required. By invoking the invoice() function without proper authorization, the attacker gains unauthorized access to other users' invoices, allowing them to view sensitive order details and generate fraudulent or manipulated invoice documents. This compromises high levels of confidentiality and integrity but does not affect availability.
References for mitigation include the vulnerable source code in the TastyIgniter GitHub repository at https://github.com/tastyigniter/TastyIgniter/blob/3.x/app/admin/controllers/Orders.php and a detailed disclosure on Medium at https://medium.com/@cnetsec/cve-2024-44313-incorrect-access-control-in-tastyigniter-3-7-6-01a73c548b74. Security practitioners should review these for implementation of permission checks or upgrades beyond version 3.7.6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54210
Vulnerability details
TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the invoice() function within Orders.php which allows unauthorized users to access and generate invoices due to missing permission checks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an access control flaw (missing permission checks) in a web application's invoice generation function, allowing a low-privileged authenticated user to access restricted sensitive data and functionality. This directly enables exploitation of the public-facing application (T1190) and exploitation for privilege escalation to unauthorized data access and manipulation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires systems to enforce approved authorizations for access to resources, directly addressing the missing permission checks in the invoice() function that permitted unauthorized invoice access and generation.
AC-6 enforces least privilege principles, preventing low-privilege users (PR:L) from accessing sensitive admin functions like invoice generation without proper permissions.
AC-24 mandates making and acting on access control decisions, mitigating the absence of authorization logic in the vulnerable Orders.php invoice() function.