CVE-2024-55471: 
C# vulnerability analysis and mitigation

Oqtane Framework is vulnerable to Insecure Direct Object Reference (IDOR) in Oqtane.Controllers.UserController. This vulnerability, identified as CVE-2024-55471 and disclosed on December 20, 2024, allows unauthorized users to access sensitive information of other users by manipulating the id parameter. The vulnerability affects the Oqtane Framework version 6.0.0 and earlier releases (NVD, Medium Blog).

The vulnerability exists in the Oqtane.Controllers.UserController.Get endpoint accessible via http://localhost:5000/api/User/{id}?siteid=1. The endpoint lacks proper authorization checks to verify whether the requesting user has permission to access data for a specific id. The CVSS v3.1 base score is 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability can lead to unauthorized data access, privacy breaches, and compromised application integrity. Attackers can view sensitive user information by manipulating the id parameter in API requests. This vulnerability could potentially serve as a stepping stone for more sophisticated attacks such as privilege escalation or account takeover (Medium Blog).

The vulnerability has been patched by implementing proper authorization checks to ensure that user settings are only accessible to individual users or administrators. Organizations using affected versions should update to the latest version immediately. Additional recommended security measures include implementing robust authorization checks, using indirect references instead of direct object references, following secure API development practices, and conducting regular security testing (GitHub PR, Medium Blog).