CVE-2024-54450

CRITICAL

Kurmi Provisioning Suite 7.9.0.33 - Info Disclosure

Title source: llm

Description

An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) IP address mentioned in that header rather than the real IP address that the user logged in from. This fake IP address can later be displayed in the My Account popup that shows the IP address that was used to log in.

References (2)

[Various Sources] https://kurmi-software.com

[Various Sources] https://kurmi-software.com/cve/cve-2024-54450/

Scores

CVSS v3 9.4

EPSS 0.0017

EPSS Percentile 38.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-290

Status published

Published Dec 27, 2024

Tracked Since Feb 18, 2026