CVE-2024-28735 is an authorization bypass vulnerability affecting Unit4 Financials by Coda versions prior to 2023Q4. The vulnerability arises from improper access control checks that fail to validate whether an authenticated user has the necessary privileges to modify other users' passwords. Exploiting this flaw, an attacker with valid credentials but limited permissions can craft a specially designed request to change the password of any user account within the application, including administrative accounts. This bypass does not require user interaction and can be executed remotely over the network, making it a significant risk. The vulnerability is classified under CWE-287 (Improper Authentication), indicating that the system does not properly verify user authorization before allowing sensitive operations. The CVSS v3.1 base score is 8.1, reflecting high severity due to its network attack vector, low attack complexity, and high impact on confidentiality and integrity. Although no public exploits have been reported yet, the nature of the vulnerability suggests that exploitation could lead to full account takeover and subsequent unauthorized access to sensitive financial data and system functions. The lack of available patches at the time of disclosure means organizations must rely on interim mitigations until updates are released.

The primary impact of CVE-2024-28735 is unauthorized account takeover, which compromises the confidentiality and integrity of user accounts within Unit4 Financials by Coda. Attackers can escalate privileges by resetting passwords of higher-privileged users, potentially gaining administrative access to financial data and system controls. This can lead to data breaches, fraudulent financial transactions, manipulation of accounting records, and disruption of business operations. Since the vulnerability does not affect availability directly, denial-of-service is less of a concern. However, the ability to impersonate any user poses a severe risk to organizations relying on this software for critical financial management. The impact is especially significant for organizations with many users and complex role hierarchies, as attackers can pivot through accounts to maximize damage. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly given the straightforward nature of the bypass.

1. Apply patches or updates from Unit4 as soon as they become available to address the authorization bypass vulnerability. 2. Until patches are released, restrict access to the Unit4 Financials application to trusted users only, using network segmentation and firewall rules to limit exposure. 3. Implement strict monitoring and alerting on password change events, especially those initiated by non-administrative users, to detect suspicious activity early. 4. Enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of credential compromise. 5. Review and tighten user role permissions to minimize the number of users with password modification capabilities. 6. Conduct regular audits of user accounts and password changes to identify unauthorized modifications. 7. Educate users and administrators about this vulnerability and encourage vigilance for unusual account behavior. 8. Consider deploying web application firewalls (WAFs) with custom rules to detect and block crafted requests attempting to exploit this flaw.