Vulnerabilities > CVE-2024-25635 - Unspecified vulnerability in ALF 2.0M42304

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

alf

NVD

Published: 2024-02-19

Updated: 2024-12-18

Summary

alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the provided user ID. This may also expose the API KEY in the username of the user. Version 2.0-M4-2402 fixes this issue.

Vulnerable Configurations

Part	Description	Count
Application	Alf ALF ALF - ALF ALF 2.0-M4-2304	2

References

https://github.com/alfio-event/alf.io/security/advisories/GHSA-ffr5-g3qg-gp4f
https://github.com/alfio-event/alf.io/security/advisories/GHSA-ffr5-g3qg-gp4f