CVE-2024-54818
Published: 08 January 2025
Summary
CVE-2024-54818 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Oretnom23 Computer Laboratory Management System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly preventing low-privileged users from reaching the vulnerable /php-lms/admin/?page=user/list endpoint.
AC-25 implements a reference monitor to mediate and enforce access control policy over all subjects and objects, comprehensively addressing the incorrect access control implementation in this CVE.
AC-6 applies least privilege to restrict low-privileged (PR:L) accounts from performing high-impact unauthorized actions on user management functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect access control in public-facing web app (/php-lms/admin/?page=user/list) enables exploitation for initial access (T1190) and unauthorized local account discovery (T1087.001).
NVD Description
SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list.
Deeper analysisAI
CVE-2024-54818 is an Incorrect Access Control vulnerability (CWE-281) in SourceCodester Computer Laboratory Management System 1.0, accessible via the /php-lms/admin/?page=user/list endpoint. Published on 2025-01-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.
An attacker with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) without changing scope (S:U), potentially allowing unauthorized actions on user management functions.
Advisories and references include vulnerability research details at https://github.com/CloseC4ll/vulnerability-research/tree/main/CVE-2024-54818 and general guidance on preventing access control vulnerabilities from PortSwigger at https://portswigger.net/web-security/access-control#how-to-prevent-access-control-vulnerabilities. No specific patches are detailed in the provided information.
Details
- CWE(s)