Skip to main content

CVE-2023-50872: n/a in n/a

High
VulnerabilityCVE-2023-50872cvecve-2023-50872
Published: Tue Apr 16 2024 (04/16/2024, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

The API in Accredible Credential.net December 6th, 2023 allows an Insecure Direct Object Reference attack that discloses partial information about certificates and their respective holder. NOTE: the excellium-services.com web page about this issue mentions "Vendor says that it's not a security issue."

AI-Powered Analysis

AILast updated: 07/08/2025, 12:55:37 UTC

Technical Analysis

CVE-2023-50872 is a high-severity vulnerability identified in the API of Accredible Credential.net as of December 6th, 2023. The vulnerability is classified as an Insecure Direct Object Reference (IDOR), which allows an attacker to access partial information about certificates and their respective holders without proper authorization. IDOR vulnerabilities occur when an application exposes internal implementation objects such as files, database records, or keys directly to users, without sufficient access control checks. In this case, the API fails to adequately restrict access to certificate data, enabling unauthorized disclosure of sensitive information. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high impact primarily on confidentiality (C:H), with no impact on integrity or availability. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making exploitation relatively straightforward if the API endpoint is accessible. Although the vendor reportedly considers this not a security issue, the vulnerability is recognized by the CVE database and is associated with CWE-200 (Exposure of Sensitive Information). There are no known exploits in the wild at this time, and no patches or mitigations have been officially published. The lack of vendor acknowledgment and patch availability increases the risk for organizations relying on Accredible Credential.net for certificate management and verification.

Potential Impact

For European organizations, the impact of this vulnerability could be significant, especially for educational institutions, certification bodies, and employers who use Accredible Credential.net to issue and verify professional or academic credentials. Unauthorized disclosure of certificate holder information could lead to privacy violations under the GDPR, reputational damage, and potential misuse of personal data for social engineering or identity theft. Since the vulnerability exposes partial certificate data, attackers might piece together sensitive information or use it to undermine trust in digital credentials. The fact that exploitation requires no authentication and no user interaction increases the risk of automated or large-scale data harvesting attacks. Additionally, organizations in regulated sectors such as finance, healthcare, and government could face compliance issues if certificate data leakage occurs. The vendor's dismissal of the issue as non-security related may delay remediation efforts, prolonging exposure and increasing the window of opportunity for attackers.

Mitigation Recommendations

European organizations using Accredible Credential.net should implement compensating controls immediately. These include restricting API access via network-level controls such as IP whitelisting or VPN requirements, and monitoring API usage for anomalous access patterns indicative of scraping or enumeration attacks. Organizations should engage with the vendor to demand timely patches or configuration changes that enforce strict access controls on certificate data. Internally, limiting the amount of sensitive information included in certificates and minimizing exposed API endpoints can reduce risk. Logging and alerting on unusual API requests can help detect exploitation attempts early. Where possible, organizations should consider alternative credential management solutions with stronger security postures until this vulnerability is resolved. Legal and compliance teams should be involved to assess GDPR implications and prepare incident response plans in case of data leakage.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2023-12-15T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839ce93182aa0cae2b5b18c

Added to database: 5/30/2025, 3:28:19 PM

Last enriched: 7/8/2025, 12:55:37 PM

Last updated: 8/12/2025, 7:01:52 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats