CVE-2024-41518
📋 TL;DR
An incorrect access control vulnerability in Feripro allows remote attackers to export sensitive registration and participant data via the /admin/programm/<program_id>/export/statistics endpoint without proper authentication. This affects all Feripro installations running version 2.2.3 or earlier.
💻 Affected Systems
- Feripro
📦 What is this software?
Feripro by Mecodia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all registration data including personal identifiable information (PII), potentially violating data protection regulations and exposing sensitive organizational information.
Likely Case
Unauthorized users accessing and downloading participant lists, registration details, and program statistics that should be restricted to administrators.
If Mitigated
Proper authentication and authorization checks would prevent unauthorized access, limiting data exposure to legitimate administrators only.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint. The vulnerability is documented in public advisories with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.2.4 or later
Vendor Advisory: http://feripro.de
Restart Required: Yes
Instructions:
1. Backup your Feripro installation and database. 2. Download the latest version from the official Feripro website. 3. Replace the existing installation files with the updated version. 4. Restart the Feripro service or web server. 5. Verify the fix by testing the export functionality.
🔧 Temporary Workarounds
Web Server Access Restriction
allBlock access to the vulnerable endpoint using web server configuration
# For Apache: RewriteRule ^/admin/programm/.*/export/statistics$ - [F]
# For Nginx: location ~ ^/admin/programm/.*/export/statistics$ { return 403; }
Network Access Control
linuxRestrict access to the Feripro admin interface to trusted IP addresses only
# Firewall rule example: iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Feripro instances from untrusted networks
- Deploy a web application firewall (WAF) with rules to block unauthorized access to admin export endpoints
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[feripro-host]/admin/programm/1/export/statistics without authentication. If it returns an XLSX file, the system is vulnerable.Check Version:
Check the Feripro version in the web interface footer or configuration filesVerify Fix Applied:
After patching, attempt the same unauthorized access. The system should return an authentication error or 403 Forbidden response.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /admin/programm/*/export/statistics from unauthenticated IPs
- Large file downloads of XLSX files from admin endpoints
Network Indicators:
- Unusual spikes in traffic to admin export endpoints
- XLSX file downloads from non-admin IP addresses
SIEM Query:
source="feripro_access.log" AND (uri="/admin/programm/*/export/statistics" AND status=200) AND NOT (user="admin" OR auth_success=true)