CVE-2024-1033 is an information disclosure vulnerability identified in openBI versions 1.0.0 through 1.0.8. The vulnerability resides in the 'agent' function within the /application/index/controller/Datament.php file. Specifically, improper handling of the 'api' argument allows an attacker to remotely manipulate input parameters, leading to unauthorized disclosure of sensitive information. This vulnerability is classified under CWE-200, which pertains to exposure of sensitive information to an unauthorized actor. The vulnerability can be exploited remotely without user interaction but requires some level of privileges (PR:L) on the system, as indicated by the CVSS vector. The CVSS score of 4.3 (medium severity) reflects that the attack vector is network-based with low complexity and no user interaction needed, but it requires privileges. The impact is limited to confidentiality, with no effect on integrity or availability. Although no public exploits are currently known in the wild, the exploit details have been disclosed publicly, increasing the risk of exploitation. The lack of available patches or official vendor fixes at the time of publication means that affected organizations must rely on mitigation strategies until a patch is released. The vulnerability could allow attackers to gain access to sensitive data handled by openBI, potentially including business intelligence reports, user data, or configuration details, depending on the deployment context.

For European organizations using openBI versions up to 1.0.8, this vulnerability poses a risk of unauthorized information disclosure. Given that openBI is a business intelligence tool, the sensitive data exposed could include internal analytics, user credentials, or proprietary business information. Such exposure could lead to competitive disadvantage, regulatory non-compliance (e.g., GDPR violations if personal data is leaked), and reputational damage. The medium severity rating suggests the impact is moderate, but the risk increases if the attacker has some level of access privileges. Organizations in regulated industries such as finance, healthcare, and government sectors in Europe are particularly at risk due to the sensitivity of the data processed. Additionally, since the attack can be launched remotely, any exposed openBI instances accessible over the internet or internal networks are vulnerable. The absence of a patch increases the urgency for interim controls. The impact on confidentiality could also facilitate further attacks if sensitive configuration or credential information is disclosed.

1. Restrict access to openBI instances by implementing network-level controls such as firewalls and VPNs to limit exposure to trusted users only. 2. Enforce strict authentication and authorization policies to ensure only privileged users can access the vulnerable 'agent' function or related API endpoints. 3. Monitor and audit access logs for unusual or unauthorized API calls targeting the 'agent' function or the Datament.php controller. 4. Apply web application firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the 'api' argument. 5. If feasible, disable or restrict the vulnerable functionality temporarily until an official patch is released. 6. Keep openBI installations isolated from public networks or segment them within secure network zones. 7. Regularly update and patch openBI once vendor fixes become available. 8. Conduct internal security assessments and penetration tests focusing on API input validation and information disclosure vectors. 9. Educate administrators and users about the risks of exposing business intelligence tools and the importance of secure configuration.