How severe is CVE-2024-34082?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.9 out of 10.

What type of vulnerability is CVE-2024-34082?

This is classified as CWE-269, which is a common weakness in software security.

CVE-2024-34082 - CRITICAL Severity | CVSS 9.9

Vulnerability Description

Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account and read any file in the web server by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. A low privileged user may also perform a full account takeover of other registered users including Administrators. Version 1.7.46 contains a patch.

Related Vulnerabilities

CVE-2020-15149

CRITICAL

CVSS:9.9(Critical)

NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially c...

CWE-2692020

CVE-2020-7047

CRITICAL

CVSS:9.9(Critical)

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users r...

CWE-2692020

CVE-2021-36302

CRITICAL

CVSS:9.9(Critical)

All Dell EMC Integrated System for Microsoft Azure Stack Hub versions contain a privilege escalation vulnerability. A remote malicious user with standard level JEA credentials may potentially exploit ...

CWE-2692021

CVE-2022-1770

CRITICAL

CVSS:9.9(Critical)

Improper Privilege Management in GitHub repository polonel/trudesk prior to 1.2.2.

CWE-2692022

CVE-2022-39395

CRITICAL

CVSS:9.9(Critical)

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some ...

CWE-2692022

CVE-2023-20048

CRITICAL

CVSS:9.9(Critical)

A vulnerability in the web services interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute certain unauthorized configuration commands o...

CWE-2692023