CVE-2024-55585 PUBLISHED

Assigner: mitre
Reserved: 09.12.2024 Published: 07.06.2025 Updated: 13.06.2025

In the moPS App through 1.8.618, all users can access administrative API endpoints without additional authentication, resulting in unrestricted read and write access, as demonstrated by /api/v1/users/resetpassword.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/RE:M/U:Red
CVSS Score: 9

Product Status

Vendor MOPS
Product moPS
Versions Default: unaffected
  • affected from 0 to 1.8.618 (incl.)

References

Problem Types

  • CWE-306 Missing Authentication for Critical Function CWE