CVE-2024-35723 identifies a Missing Authorization vulnerability in the Andrew Dashboard To-Do List product, affecting versions up to and including 1.2.0. Missing Authorization means that certain functions or data within the dashboard do not enforce proper permission checks, allowing any user, including unauthenticated or unauthorized ones, to access or manipulate to-do list entries. This vulnerability stems from the absence of access control mechanisms on critical API endpoints or UI components responsible for managing to-do list data. Since the product is designed to manage task lists, unauthorized access could lead to exposure of sensitive task information or unauthorized modifications, potentially disrupting workflows or leaking confidential data. The vulnerability was reserved in May 2024 and published in June 2024, with no CVSS score assigned yet and no known active exploitation reported. The lack of a patch link indicates that a fix may still be pending or in development. The vulnerability primarily impacts confidentiality and integrity, as unauthorized users can read or alter data without restrictions. Availability impact is possible if attackers delete or corrupt to-do list data, but this is secondary. The ease of exploitation is likely high since no authentication or authorization is enforced, and user interaction is not required. The scope is limited to installations of the Andrew Dashboard To-Do List product, which may be niche or limited in deployment. Overall, this vulnerability represents a significant risk to organizations relying on this product for task management, especially if sensitive or critical information is stored within the to-do lists.

The Missing Authorization vulnerability in Andrew Dashboard To-Do List can lead to unauthorized disclosure and modification of task data, compromising confidentiality and integrity. Attackers could view sensitive tasks, alter deadlines, or delete entries, disrupting organizational workflows and potentially causing operational delays or errors. In environments where to-do lists contain critical or sensitive information, this could lead to data leakage or sabotage. Although no active exploitation is reported, the ease of exploitation and lack of authorization controls make this a high-risk issue. Organizations using this product may face reputational damage, loss of trust, and operational inefficiencies if the vulnerability is exploited. The impact is more pronounced in sectors relying heavily on task management for compliance, project tracking, or sensitive operations.

Organizations should immediately audit their use of Andrew Dashboard To-Do List and restrict access to trusted users only. Implement network-level access controls such as VPNs or IP whitelisting to limit exposure. Monitor logs for unusual access patterns or unauthorized modifications. If possible, disable or restrict the vulnerable to-do list functionality until a patch is available. Engage with the vendor or community to obtain or expedite a security update that enforces proper authorization checks on all relevant endpoints. Additionally, conduct a thorough review of all API endpoints and UI components to ensure authorization is enforced consistently. Employ application-layer firewalls or reverse proxies to add an additional layer of access control. Educate users about the risk and encourage reporting of suspicious activity. Finally, prepare incident response plans to quickly address any exploitation attempts.