CVE-2024-46635

MEDIUM

INROAD <v20240206 - Info Disclosure

Title source: llm

Description

An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter.

Exploits (1)

nomisec WRITEUP 1 stars

by h1thub · poc

https://github.com/h1thub/CVE-2024-46635

View Code ZIP pw:eip

References (1)

[Various Sources] https://hithub.notion.site/Sensitive-Information-Disclosure-in-GongZhiDao-System-aaad25d2430f4a638d462194cfa87c8b

Scores

CVSS v3 5.9

EPSS 0.0104

EPSS Percentile 77.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-922

Status published

Published Sep 30, 2024

Tracked Since Feb 18, 2026