CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2024-6303

Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the server's key, deactivating users, and more

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 36.2%

CVSS Severity

CVSS v3 Score 9.9

References

Products affected by CVE-2024-6303

Conduit » Conduit » Version: N/A

cpe:2.3:a:conduit:conduit:-
Conduit » Conduit » Version: 0.0.0

cpe:2.3:a:conduit:conduit:0.0.0
Conduit » Conduit » Version: 0.2.0

cpe:2.3:a:conduit:conduit:0.2.0
Conduit » Conduit » Version: 0.3.0

cpe:2.3:a:conduit:conduit:0.3.0
Conduit » Conduit » Version: 0.4.0

cpe:2.3:a:conduit:conduit:0.4.0
Conduit » Conduit » Version: 0.5.0

cpe:2.3:a:conduit:conduit:0.5.0
Conduit » Conduit » Version: 0.6.0

cpe:2.3:a:conduit:conduit:0.6.0
Conduit » Conduit » Version: 0.7.0

cpe:2.3:a:conduit:conduit:0.7.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2024-6303

Products

Pricing

Contact Us