CVE-2024-28087

MEDIUM

Bonita Server < 10.1.0.W11 - Insecure Direct Object Reference via Missing Dynamic Permissions

Title source: llm
STIX 2.1

Description

In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0032
EPSS Percentile 23.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (1)
org.bonitasoft.engine/bonita-server 0 - 10.1.0.W11Maven
Published May 15, 2024
Tracked Since Feb 18, 2026