CVE-2024-55470

HIGH

Nuget Oqtane.framework - Authentication Bypass by Spoofing

Title source: rule

Description

Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

References (2)

[Various Sources] https://gist.github.com/Kaushikjoshi/2d8ad350ba5e72030fcee2536498cfe4

[Issue Tracking] https://github.com/oqtane/oqtane.framework/pull/4878/files

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-290

Status published

Products (2)

nuget/Oqtane.Framework 0NuGet

nuget/Oqtane.Server 0NuGet

Published Dec 20, 2024

Tracked Since Feb 18, 2026