Miggo Logo
Miggo Vulnerability Database
CVE-2024-55186

CVE-2024-55186: Oqtane Framework Insecure Direct Object Reference vulnerability

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-55186
GHSA ID
GHSA-2hr5-cvwp-jr5w
EPSS Score
0.1516%
CWE
CWE-639
Published
12/20/2024
Updated
12/20/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Oqtane.Frameworknuget<= 6.0.0
Oqtane.Clientnuget<= 6.0.0
Oqtane.Servernuget<= 6.0.0
Oqtane.Sharednuget<= 6.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient authorization checks in notification handling. The NotificationController's methods (Put/Delete) relied on the flawed IsAuthorized method which defaulted to granting access. The GitHub diff shows the authorization logic was corrected by: 1) Adding FromUserId checks in Put, 2) Changing IsAuthorized default from true to false, and 3) Adding ownership validation. The client-side View.razor component complements this vulnerability by providing the attack surface for IDOR exploitation through notification ID manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n I*OR (Ins**ur* *ir**t O*j**t R***r*n**) vuln*r**ility *xists in Oqt*n* *r*m*work *.*.*, *llowin* * lo****-in us*r to ****ss in*ox m*ss***s o* ot**r us*rs *y m*nipul*tin* t** noti*i**tion I* in t** r*qu*st URL. *y ***n*in* t** noti*i**tion I*, *n *

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt *ut*oriz*tion ****ks in noti*i**tion **n*lin*. T** Noti*i**tion*ontroll*r's m*t*o*s (Put/**l*t*) r*li** on t** *l*w** `Is*ut*oriz**` m*t*o* w*i** ****ult** to *r*ntin* ****ss. T** *it*u* *i** s*ows t** *ut*or