Login Sign Up

CVE-2024-47651

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Shilpi Client Dashboard allows authenticated attackers to access other users' sensitive information by manipulating API parameters. Attackers can exploit improper parameter handling to bypass authorization checks. Organizations using vulnerable versions of Shilpi Client Dashboard are affected.

💻 Affected Systems

Products:
  • Shilpi Client Dashboard
Versions: Specific versions not specified in CVE description - all versions with vulnerable API endpoint
Operating Systems: All platforms running Shilpi Client Dashboard
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the API endpoint

📦 What is this software?

Client Dashboard by Shilpi

View all CVEs affecting Client Dashboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user data including personal information, financial data, and confidential business information belonging to all users in the system.

🟠

Likely Case

Targeted data theft where attackers access specific users' sensitive information for identity theft, fraud, or corporate espionage.

🟢

If Mitigated

Limited impact with proper access controls, monitoring, and network segmentation preventing lateral movement and data exfiltration.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but uses simple parameter manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version

Vendor Advisory: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313

Restart Required: Yes

Instructions:

1. Review CERT-IN advisory for patch details. 2. Download and apply vendor-provided patch. 3. Restart Shilpi Client Dashboard service. 4. Verify fix implementation.

🔧 Temporary Workarounds

API Input Validation

all

Implement strict input validation to reject requests with multiple userid parameters

Implement server-side validation: if count(userid_parameters) > 1 then reject_request()

Web Application Firewall Rule

all

Block requests containing multiple userid parameters in API payload

WAF rule: if request.body contains 'userid' count > 1 then block

🧯 If You Can't Patch

  • Implement strict API rate limiting and monitor for unusual parameter patterns
  • Segment network access to Shilpi Client Dashboard and implement strict authentication controls

🔍 How to Verify

Check if Vulnerable:

Test API endpoint with multiple userid parameters in request body using authenticated session

Check Version:

Check Shilpi Client Dashboard version in admin interface or configuration files

Verify Fix Applied:

Attempt exploitation after patch - requests with multiple userid parameters should be rejected

📡 Detection & Monitoring

Log Indicators:

  • Multiple userid parameters in single API request
  • Unusual data access patterns from single user session
  • Failed authorization attempts followed by successful data access

Network Indicators:

  • API requests with duplicate parameter names in payload
  • Unusual data volume from authenticated sessions

SIEM Query:

source="shilpi_logs" AND (request_body CONTAINS "userid" AND request_body COUNT("userid") > 1)

📊 Metadata

CVE ID: CVE-2024-47651
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-235
Published: October 4, 2024
Last Updated: October 10, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON