Incorrect Access Control vulnerability in ZLMediaKit allows remote attackers to escalate privileges and obtain sensitive information
CVE-2024-27488

9.8CRITICAL

Key Information:

Vendor: ZLMediaKit
Status: ZLMediaKit
Vendor: CVE Published:; 8 April 2024

What is CVE-2024-27488?

An access control vulnerability exists in ZLMediaKit, versions 1.0 through 8.0, allowing remote attackers to escalate privileges and access sensitive information. This issue arises because the application enables its HTTP API interface by default and relies on a hardcoded secret parameter for authenticating its RESTful API. This configuration can be exploited by attackers to bypass security measures, leading to unauthorized access and potential data breaches.

References

https://gist.github.com/tr4pmaker/44442d6f068458175213f4b...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2024
Vulnerability Reserved
Feb 26, 2024

CVE-2024-27488 Data

JSON