CVE-2024-57032
Published: 17 January 2025
Summary
CVE-2024-57032 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked in the top 31.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly mitigating the incorrect access control in controle/control.php that allows unauthenticated password changes.
IA-5 requires secure management of authenticators including verification of existing passwords during changes, preventing arbitrary modifications without knowledge of the old password.
SI-10 mandates validation of critical inputs like the senha_antiga field, addressing the lack of old password verification in password change operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect access control in the password change functionality enables unauthorized account manipulation (T1098) by allowing password changes without validating the old password, exploited via a public-facing web application (T1190).
NVD Description
WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.
Deeper analysisAI
CVE-2024-57032 is an incorrect access control vulnerability in WeGIA versions prior to 3.2.0, specifically within the controle/control.php component. The flaw arises because the application does not properly validate the value provided in the 'senha_antiga' (old password) field during password change operations. This allows arbitrary password modifications without knowledge of the existing password. The issue is associated with CWE-863 (Incorrect Authorization) and CWE-284 (Improper Access Control), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting a crafted request to controle/control.php with any value in the senha_antiga field, attackers can change the password of any user account, potentially compromising administrative privileges and leading to high impacts on confidentiality, integrity, and availability.
Mitigation involves upgrading to WeGIA 3.2.0 or later, as versions prior to this release remain vulnerable. Further technical details and reproduction steps are documented in the vulnerability research repository at https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-57032, with additional information available on the official WeGIA site at https://www.wegia.org/.
Details
- CWE(s)