Cyber Resilience

CVE-2024-50633

LowPublic PoC

Published: 16 January 2025

Published
16 January 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v3.1 0.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
EPSS Score 0.0901 92.8th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50633 is a uncategorised-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Cern Indico. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1087.001); ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2024-50633 is a reported Broken Object Level Authorization (BOLA) issue affecting Indico versions through 3.3.5. The flaw resides in the /api/principals component and is triggered by crafted POST requests that can expose user account details. The finding is tracked under CWE-201 and carries a CVSS 3.1 score of 0.0.

Any remote attacker without authentication or privileges can submit the malicious POST to retrieve information about other user accounts. The vendor disputes the report, stating that the observed behavior matches the application's intentional design, which permits all users to access certain principal data without role-based restrictions such as event-organizer privileges.

Public references consist of a GitHub repository and associated issue that document the claim, yet no vendor advisory, patch, or mitigation guidance is referenced. The associated EPSS score remains flat at 0.0901 with no material increase after disclosure.

EU & UK References

Vulnerability details

A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users…

more

retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
Why these techniques?

BOLA vulnerability allows authenticated attackers to access sensitive information of arbitrary user accounts by manipulating the 'User:ID' parameter in POST requests to /api/principals, enabling local account discovery.

CVEs Like This One

CVE-2026-33046Same product: Cern Indico
CVE-2026-25136Same vendor: Cern
CVE-2026-25733Same vendor: Cern
CVE-2025-68033Shared CWE-201
CVE-2026-32538Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2026-20151Shared CWE-201
CVE-2026-27370Shared CWE-201
CVE-2026-39912Shared CWE-201
CVE-2026-42673Shared CWE-201

Affected Assets

cern
indico
3.2.9 — 3.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and resources in the /api/principals endpoint, directly preventing BOLA exploitation by unauthenticated attackers reading user account details.

prevent

Implements protections for public access to system resources, mitigating PR:N exploitation of the network-accessible API endpoint that exposes user information without proper restrictions.

prevent

Ensures least privilege by restricting user access to only necessary information, reducing the scope of exposure in the intentionally permissive /api/principals functionality.

References