How severe is CVE-2024-50334?

This vulnerability has a severity rating of HIGH with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2024-50334?

This is classified as CWE-288, which is a common weakness in software security.

CVE-2024-50334 - HIGH Severity | CVSS 5.3

Vulnerability Description

Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.

Related Vulnerabilities

CVE-2018-19000

MEDIUM

CVSS:5.3(Medium)

LCDS Laquis SCADA prior to version 4.1.0.4150 allows an authentication bypass, which may allow an attacker access to sensitive data.

CWE-2882018

CVE-2022-24047

MEDIUM

CVSS:5.3(Medium)

This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102. Authentication is not required to exploit this vulnerability. The specific ...

CWE-2882022

CVE-2024-1525

MEDIUM

CVSS:5.3(Medium)

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Unde...

CWE-2882024

CVE-2024-33939

MEDIUM

CVSS:5.3(Medium)

Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.

CWE-2882024

CVE-2024-46887

MEDIUM

CVSS:5.3(Medium)

The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge a...

CWE-2882024

CVE-2025-26700

MEDIUM

CVSS:5.2(Medium)

Authentication bypass using an alternate path or channel issue exists in ”RoboForm Password Manager" App for Android versions prior to 9.7.4, which may allow an attacker with access to a device where ...

CWE-2882025