CVE-2024-8261
Published: 03 March 2025
Summary
CVE-2024-8261 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Prolizyazilim Student Affairs Information System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2024-8261 is an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in Proliz Software OBS. It allows exploitation of incorrectly configured access control security levels. The issue affects OBS versions before 24.0927. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to bypass authorization controls using a user-controlled key, potentially gaining unauthorized access to sensitive data within the affected OBS instance.
The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0049 provides details on this vulnerability. Mitigation involves upgrading to OBS version 24.0927 or later, where the issue is addressed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5602
Vulnerability details
Authorization Bypass Through User-Controlled Key vulnerability in Proliz Software OBS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects OBS: before 24.0927.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing OBS application directly enables T1190 for remote unauthenticated initial access and data exposure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions on user-controlled keys to block the IDOR bypass described in CVE-2024-8261.
Limits privileges on object references so that even a bypassed key cannot expose the high-confidentiality data targeted by this vulnerability.
Ensures access-control decisions are made by a trusted mechanism rather than trusting the user-supplied key that CVE-2024-8261 exploits.