CVE-2024-32470 MEDIUM

CVE-2024-32470: Tolgee' API keys created by server admin users bypass the permission check

Vendor Tolgee
Product tolgee-platform
Weakness CWE-863 · Incorrect authorization
Published April 18, 2024
Last update August 2, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.

Key dates

02Disclosure timeline

April 18, 2024 CVE published
August 2, 2024 Record updated