Cyber Resilience

CVE-2024-8261

HighUpdated

Published: 03 March 2025

Published
03 March 2025
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0007 22.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8261 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Prolizyazilim Student Affairs Information System. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2024-8261 is an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in Proliz Software OBS. It allows exploitation of incorrectly configured access control security levels. The issue affects OBS versions before 24.0927. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to bypass authorization controls using a user-controlled key, potentially gaining unauthorized access to sensitive data within the affected OBS instance.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0049 provides details on this vulnerability. Mitigation involves upgrading to OBS version 24.0927 or later, where the issue is addressed.

EU & UK References

Vulnerability details

Authorization Bypass Through User-Controlled Key vulnerability in Proliz Software OBS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects OBS: before 24.0927.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public-facing OBS application directly enables T1190 for remote unauthenticated initial access and data exposure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-8262Same product: Prolizyazilim Student Affairs Information System
CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-43890Shared CWE-639
CVE-2026-25563Shared CWE-639
CVE-2026-3321Shared CWE-639

Affected Assets

prolizyazilim
student affairs information system
≤ 24.0927

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization decisions on user-controlled keys to block the IDOR bypass described in CVE-2024-8261.

prevent

Limits privileges on object references so that even a bypassed key cannot expose the high-confidentiality data targeted by this vulnerability.

prevent

Ensures access-control decisions are made by a trusted mechanism rather than trusting the user-supplied key that CVE-2024-8261 exploits.

References