CVE-2024-0580 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the IDMSistemas platform products Sinergia, Sinergia 2.0, and Sinergia Corporativo, specifically version 2.0. The vulnerability arises due to the omission of proper authorization checks on a user-controlled key parameter within the API endpoint '/qsige.locator/quotePrevious/centers/X', where 'X' is a parameter that accepts numeric values such as 1, 2, 3, etc. This flaw allows an unauthenticated attacker to craft requests to this endpoint and extract sensitive information without proper permission validation. The vulnerability has a CVSS v3.1 base score of 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on January 18, 2024, and assigned by INCIBE. The root cause is the failure to enforce authorization on user-controlled keys in the API, enabling unauthorized data disclosure through crafted API requests.

For European organizations using IDMSistemas Sinergia products, this vulnerability poses a significant risk to the confidentiality of sensitive business data accessible via the affected API. Since the flaw allows unauthorized extraction of information without authentication, attackers could potentially access confidential operational or financial data, leading to data breaches, competitive disadvantage, or regulatory non-compliance under GDPR. The medium CVSS score reflects that while exploitation requires some user interaction, the lack of required privileges and network accessibility makes exploitation feasible. The impact is heightened for organizations relying heavily on Sinergia 2.0 for critical business processes, especially those handling sensitive personal or corporate data. The absence of integrity or availability impact limits the threat to data leakage rather than system disruption or data manipulation. However, the exposure of sensitive information could lead to secondary attacks such as social engineering or fraud. Given the lack of known exploits, immediate widespread attacks are unlikely but the vulnerability should be considered a moderate risk until patched.

Organizations should implement the following specific mitigation measures: 1) Immediately audit and monitor API access logs for unusual or unauthorized requests targeting the '/qsige.locator/quotePrevious/centers/X' endpoint, focusing on anomalous parameter values. 2) Restrict network access to the affected API endpoints using firewall rules or API gateways to limit exposure to trusted internal users or IP ranges. 3) Enforce strict authentication and authorization controls at the application layer, ensuring that all API requests validate user permissions against the requested resource keys. 4) Engage with IDMSistemas for official patches or updates addressing CVE-2024-0580 and plan prompt deployment once available. 5) If patching is delayed, consider implementing compensating controls such as input validation or API request filtering to block unauthorized parameter values. 6) Conduct security awareness training for users to recognize and report suspicious interactions that could trigger user interaction-based exploitation. 7) Review and enhance overall API security posture, including rate limiting and anomaly detection, to reduce attack surface.