CVE-2024-55470

HIGH

Oqtane Framework 6.0.0 - Authentication Bypass via EntityID Parameter Spoofing

Title source: llm

Description

Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

References (2)

Core 2

Core References

Various Sources

https://gist.github.com/Kaushikjoshi/2d8ad350ba5e72030fcee2536498cfe4

Issue Tracking

https://github.com/oqtane/oqtane.framework/pull/4878/files

Scores

CVSS v3 7.5

EPSS 0.0044

EPSS Percentile 34.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-290

Status published

Products (2)

nuget/Oqtane.Framework 0NuGet

nuget/Oqtane.Server 0NuGet

Published Dec 20, 2024

Tracked Since Feb 18, 2026