Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-50633 PoC — Indico 安全漏洞

Source
https://github.com/cetinpy/CVE-2024-50633
Associated Vulnerability
Title:Indico 安全漏洞 (CVE-2024-50633)
Description:A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).
Readme
## CVE-2024-50633

### 🏆 - **CVE-2024-50633**: [Indico BOLA Vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50633)  
  *(Discovered and reported a BOLA vulnerability in Indico.)*

---

### 📜 Description CVE-2024-50633
A **Broken Object Level Authorization (BOLA)** vulnerability in Indico **v3.2.9** allows attackers to access sensitive user information by manipulating API requests.

### Query CVE-2024-50633
**FOFA** : title="Indico" || header="Indico"

**Google Dork** : intitle:"Indico" inurl:"/event"

---

### 🛠️ Technical Details
1. **Vulnerable Component**: `/api/principals`
2. **Method**: A crafted POST request can be used to exploit this vulnerability.
3. **Exploit Example**:
   ```http
   POST /api/principals HTTP/2
   Content-Type: application/json

   {
       "values": ["User:2301"]
   }


By modifying the User value (e.g., User:2302), the attacker can access data of another user.
Steps to Reproduce:
Register on an Indico website.
Navigate to the "Create Event" section and capture the POST request using Burp Suite.
Modify the values parameter to another user ID.
Observe that unauthorized data is returned.

🔥 **Impact**
This vulnerability can expose sensitive information of other users.
It breaks authorization boundaries, leading to potential data leaks.

⚙️ **Affected Versions**
Indico v3.2.9 to v3.3.2

🔧 **How to Fix? for [CVE-2024-50633]**

**Update to the Latest Version:**
Ensure that your Indico instance is updated to the latest patched version where the vulnerability has been addressed. Check Indico’s official releases for updates.

**Restrict Access to Sensitive Endpoints**:
Apply strict access controls on API endpoints such as /api/principals to ensure only authorized users can access sensitive information. Use role-based access control (RBAC) mechanisms.

**Implement Input Validation:**
Validate and sanitize user-provided input in all API requests to prevent unauthorized access or manipulation of data.

**Monitor and Audit Logs:**
Regularly monitor server logs for unusual API requests or unauthorized access attempts to /api/principals. This can help identify exploitation attempts.

**Use a Web Application Firewall (WAF):**
Deploying a WAF can provide an additional layer of protection against exploitation attempts by detecting and blocking malicious requests.

🕵️‍♂️ Reported by
Çetin BİNİCİ
File Snapshot

 [4.0K]  /data/pocs/61d85c3bc46f04172d9b0e9791b05e8f498f93a0
└── [2.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →