CVE-2024-28735 – This vulnerability allows authenticated users i... (How to Fix)

Q: What is the severity of CVE-2024-28735?

CVE-2024-28735 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated users in Unit4 Financials by Coda to bypass authorization controls and reset passwords for any user account via specially crafted requests. It affects all versions prior to 2023Q4, potentially compromising any organization using vulnerable versions of this financial management software.

📋 TL;DR

This vulnerability allows authenticated users in Unit4 Financials by Coda to bypass authorization controls and reset passwords for any user account via specially crafted requests. It affects all versions prior to 2023Q4, potentially compromising any organization using vulnerable versions of this financial management software.

💻 Affected Systems

Products:

Unit4 Financials by Coda

Versions: All versions prior to 2023Q4

Operating Systems: Not OS-specific

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of vulnerable versions regardless of configuration.

📦 What is this software?

Financials By Coda by Unit4

View all CVEs affecting Financials By Coda →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could reset passwords for all user accounts including administrators, take complete control of the financial system, manipulate financial data, and potentially access sensitive financial information.

🟠

Likely Case

An authenticated malicious insider or compromised account could escalate privileges, reset passwords for other users including administrators, and gain unauthorized access to sensitive financial functions.

🟢

If Mitigated

With proper network segmentation, strong authentication controls, and monitoring, impact would be limited to potential unauthorized password resets that could be detected and reversed.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on Packet Storm Security. Requires authenticated access but the exploit is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023Q4 or later

Vendor Advisory: https://www.unit4.com/

Restart Required: Yes

Instructions:

1. Upgrade to Unit4 Financials by Coda version 2023Q4 or later. 2. Apply all available patches from Unit4. 3. Restart the application services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to the Financials application to only trusted IP addresses and networks.

Enhanced Authentication Monitoring

all

Implement strict monitoring for password reset activities and alert on suspicious patterns.

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Financials application from untrusted networks
Enforce multi-factor authentication for all user accounts and monitor for unusual password reset activities

🔍 How to Verify

Check if Vulnerable:

Check the application version in the admin console or configuration files. If version is earlier than 2023Q4, the system is vulnerable.

Check Version:

Check application version in admin interface or consult system documentation

Verify Fix Applied:

After upgrading to 2023Q4 or later, attempt to reproduce the exploit using the published method. The password reset authorization should be properly enforced.

📡 Detection & Monitoring

Log Indicators:

Multiple password reset requests from single user
Password reset requests for accounts not belonging to the requesting user
Unusual patterns in user management logs

Network Indicators:

HTTP POST requests to password reset endpoints with modified parameters
Requests bypassing normal authorization flows

SIEM Query:

source="financials_app" AND (event_type="password_reset" AND target_user != requesting_user)

📊 Metadata

CVE ID: CVE-2024-28735

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: March 20, 2024

Last Updated: June 17, 2025

🔗 References

http://financials.com Broken Link
http://unit4.com Product
https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html Exploit,Third Party Advisory
https://www.unit4.com/ Product
https://www.unit4.com/products/financial-management-software Product
http://financials.com Broken Link
http://unit4.com Product
https://packetstormsecurity.com/files/177620/Financials-By-Coda-Authorization-Bypass.html Exploit,Third Party Advisory
https://www.unit4.com/ Product
https://www.unit4.com/products/financial-management-software Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28735, you might also want to check these: