CVE-2024-46635

MEDIUM

INROAD <v20240206 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-46635. PoCs published by h1thub.

AI-analyzed exploit summary The repository describes an improper input validation vulnerability in the GongZhiDao System's `/oaa/api/AccountMaster/GetCurrentUserInfo` endpoint, where passing `%20` as the `UserNameOrPhoneNumber` parameter discloses sensitive user information without authentication.

Description

An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter.

Exploits (1)

nomisec WRITEUP 1 stars

by h1thub · poc

https://github.com/h1thub/CVE-2024-46635

View Code ZIP pw:eip

The repository describes an improper input validation vulnerability in the GongZhiDao System's `/oaa/api/AccountMaster/GetCurrentUserInfo` endpoint, where passing `%20` as the `UserNameOrPhoneNumber` parameter discloses sensitive user information without authentication.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: GongZhiDao System (version unspecified)

No auth needed

Prerequisites: Network access to the vulnerable endpoint

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://hithub.notion.site/Sensitive-Information-Disclosure-in-GongZhiDao-System-aaad25d2430f4a638d462194cfa87c8b

Scores

CVSS v3 5.9

EPSS 0.0025

EPSS Percentile 16.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-922

Status published

Published Sep 30, 2024

Tracked Since Feb 18, 2026