CVE-2024-3305 is a vulnerability in the SoliClub mobile application developed by Utarit Information, affecting iOS versions prior to 4.4.0 and Android versions prior to 5.2.1. The vulnerability stems from improper authorization checks, specifically an authorization bypass through a user-controlled key (CWE-639) combined with missing authorization (CWE-862). This flaw allows an attacker to manipulate keys or tokens that the application uses to control access to embedded sensitive data, effectively bypassing intended access controls. The vulnerability does not require any privileges or user interaction, and can be exploited remotely over the network, making it highly accessible to attackers. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H), with limited impacts on integrity and availability. The scope is limited to the SoliClub app but affects both major mobile platforms. Although no public exploits are currently known, the vulnerability's nature suggests that attackers could retrieve sensitive embedded data such as personal user information, credentials, or proprietary business data, leading to potential data breaches and privacy violations. The lack of patches at the time of reporting increases the urgency for affected users and organizations to apply updates once available or implement compensating controls.

The primary impact of CVE-2024-3305 is unauthorized disclosure of sensitive embedded data within the SoliClub application, which can lead to significant confidentiality breaches. For European organizations, this could mean exposure of personal data protected under GDPR, resulting in legal and financial penalties. The vulnerability could be exploited to access user credentials, private communications, or proprietary business information, undermining trust and potentially enabling further attacks such as identity theft or corporate espionage. The fact that exploitation requires no authentication or user interaction increases the risk of widespread automated attacks. Organizations relying on SoliClub for internal communications, customer engagement, or data storage face risks of operational disruption and reputational damage. The vulnerability also poses risks to sectors with high mobile app usage, including finance, healthcare, and government services, where sensitive data leakage could have severe consequences. Given the network-based attack vector, attackers could exploit this vulnerability remotely, increasing the threat surface for European entities.

To mitigate CVE-2024-3305, European organizations should immediately verify the SoliClub app versions in use and upgrade to iOS version 4.4.0 or later and Android version 5.2.1 or later once patches are released. Until patches are available, organizations should restrict network access to the SoliClub application backend using firewall rules and VPNs to limit exposure. Implement application-layer access controls and monitor application logs for unusual access patterns indicative of exploitation attempts. Employ mobile device management (MDM) solutions to enforce app version compliance and restrict installation of vulnerable versions. Conduct regular security assessments and penetration tests focusing on authorization mechanisms within mobile apps. Educate users about the risks of using outdated app versions and encourage prompt updates. Additionally, consider encrypting sensitive data at rest and in transit within the app to reduce the impact of unauthorized access. Collaborate with the vendor for timely updates and vulnerability disclosure information.