CVE‑2024‑55585 is a high to critical severity vulnerability affecting the moPS App through version 1.8.618. The flaw allows unauthenticated users to call administrative API endpoints such as “/api/v1/users/resetpassword” enabling unintended read/write operations on the app.
Vulnerability Details
- CVE ID: CVE‑2024‑55585
- Affected Software: moPS App (application for event management, etc.)
- Affected Versions: ≤ 1.8.618
- CWE Identifier: CWE‑306 – Missing Authentication for Critical Function
- CVSS v4.0 Score: 9.0 (Critical)
- Attack Vector: Network
- Privileges Required: Low (any user, even unauthenticated)
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Exploitation Path
Due to missing authentication checks on administrative endpoints, unauthenticated or low‑privileged users can access and execute critical actions like resetting user passwords via API calls. Though there’s no public exploit yet, the risk is urgent because these APIs weren’t locked down properly.
Mitigation Steps
To secure your instance of moPS App:
- Check Your Version: Make sure you’re not running 1.8.618 or earlier.
- Apply the Patch: Upgrade to a version that restricts admin API access.
- Harden API Access: Use API keys, authentication tokens, or require login for administrative endpoints.
- Monitor Logs: Check server logs (endpoint calls, IPs, status codes) for unusual or unauthorized requests.
- Review Access Controls: Verify that only trusted users can perform admin-level actions.
References & Attribution
1. https://karatemuffin.it/data/2025_06_07_CVE-2024-55585_update.json
4. NVD Entry for CVE-2024-55585 – National Vulnerability Database summary
https://nvd.nist.gov/vuln/detail/CVE-2024-55585
5. MITRE CVE Program – Source of CVE metadata and classification
© 1999–2025 The MITRE Corporation. Licensed under the MITRE CVE Terms of Use.
https://www.cve.org/Legal/TermsOfUse
Subscribe to CybrWolf and stay ahead of threats.