Cyber Posture

CVE-2024-54851

HighPublic PoC

Published: 29 January 2025

Published
29 January 2025
Modified
23 May 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54851 is a high-severity CSRF (CWE-352) vulnerability in Sismics Teedy. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, such as anti-CSRF tokens, directly addressing the lack of CSRF protection in Teedy.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification, reporting, and timely correction of system flaws, comprehensively mitigating this CSRF vulnerability through patching or code remediation.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

RA-5 requires vulnerability scanning that would identify the CSRF flaw in Teedy during assessments, enabling proactive remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2024-54851 is a CSRF vulnerability in the public-facing Teedy web application, enabling exploitation to perform unauthorized state-changing actions on behalf of authenticated users.

NVD Description

Teedy <= 1.12 is vulnerable to Cross Site Request Forgery (CSRF), due to the lack of CSRF protection.

Deeper analysisAI

CVE-2024-54851 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Teedy versions 1.12 and earlier, stemming from the absence of CSRF protection mechanisms. This flaw, classified under CWE-352, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, lack of required privileges, and potential for significant impacts on confidentiality, integrity, and availability.

An unauthenticated attacker (PR:N) can exploit this vulnerability by crafting a malicious webpage or resource that, when visited by an authenticated Teedy user (UI:R), triggers unauthorized requests to the Teedy application. Successful exploitation allows the attacker to perform actions on behalf of the victim user, potentially leading to high-impact outcomes such as data modification, deletion, or unauthorized access, depending on the user's privileges within the Teedy instance.

For mitigation details, refer to the advisory provided in the GitHub repository at https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54851/README.md, which documents the issue discovered by Tanguy Boisset.

Details

CWE(s)
CWE-352

Affected Products

sismics
teedy
≤ 1.12

CVEs Like This One

CVE-2025-22963Same product: Sismics Teedy
CVE-2024-54852Same product: Sismics Teedy
CVE-2025-2319Shared CWE-352
CVE-2025-23803Shared CWE-352
CVE-2025-25071Shared CWE-352
CVE-2025-23821Shared CWE-352
CVE-2025-30615Shared CWE-352
CVE-2025-22814Shared CWE-352
CVE-2025-28857Shared CWE-352
CVE-2025-28883Shared CWE-352

References