alf.io, a widely-used open-source ticket reservation system, grapples with a critical Insecure Direct Object Reference (IDOR) vulnerability, marked as CVE-2024-25635. Before the release of version 2.0-M4-2402, organization owners had the potential to exploit a specific endpoint (http://192.168.26.128:8080/admin/api/users/<user_id>) to view API keys and user details belonging to other organization owners. This vulnerability exposes sensitive information, including API keys embedded in usernames.
The severity of this vulnerability is underscored by a high CVSS Base Score of 8.8, indicating significant risks associated with unauthorized access and potential compromise of user data. GitHub, Inc. has acknowledged this vulnerability, emphasizing the criticality by assigning a base score of 8.8 on the CVSS scale.
To address this issue, users are strongly advised to update their alf.io installations to version 2.0-M4-2402, where a patch has been implemented to rectify this security flaw. The importance of timely updates cannot be overstated, as they play a pivotal role in safeguarding sensitive information and maintaining the integrity of the ticket reservation system.
Reference:
