CVE-2024-7049 Vulnerability Details

  /     /     /  

CVE-2024-7049 Metadata Quick Info

CVE Published: 10/10/2024 | CVE Updated: 10/10/2024 | CVE Year: 2024
Source: @huntr_ai | Vendor: open-webui | Product: open-webui/open-webui
Status : PUBLISHED

---

CVE-2024-7049 Description

In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-488
CWE Name: CWE-488 Exposure of Data Element to Wrong Session
Source: open-webui

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).