Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-25632

Date: October 1, 2024

eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. The vulnerability does not affect system administrator status. Users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml_team_create and not allow administrators to import users into teams, unless strictly required.

Language: PHP

Severity Score

Related Resources (3)

https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg
https://nvd.nist.gov/vuln/detail/CVE-2024-25632
https://www.mend.io/vulnerability-database/CVE-2024-25632

Severity Score

Weakness Type (CWE)

Incorrect Privilege Assignment

CWE-266

Placement of User into Incorrect Group

CWE-842

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us