CVE-2024-49376 HIGH

CVE-2024-49376: Autolab Has Misconfigured Reset Password Permissions

Vendor Autolab
Product Autolab
Weakness CWE-287 · Improper authentication
Published October 25, 2024
Last update October 25, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.

Key dates

02Disclosure timeline

October 25, 2024 CVE published
October 25, 2024 Record updated