CVE-2024-41518 identifies an Incorrect Access Control vulnerability in the Feripro software, versions up to and including 2.2.3. The issue resides in the web endpoint "/admin/programm/<program_id>/export/statistics", which is intended to allow authorized administrators to export XLSX files containing statistics about registrations and participants in programs managed by Feripro. Due to improper access control checks, remote attackers can access this endpoint without authentication or privileges, enabling them to download sensitive participant data. This vulnerability is classified under CWE-284, indicating a failure to properly restrict access to resources. The CVSS v3.1 base score is 7.5, reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality significantly (C:H) but does not affect integrity or availability. The scope remains unchanged (S:U). No patches or exploit code are currently publicly available, but the vulnerability's nature makes it a high-risk issue for organizations using Feripro. The exposure of participant data can lead to privacy violations, regulatory non-compliance, and reputational damage.

The primary impact of CVE-2024-41518 is unauthorized disclosure of sensitive registration and participant information. Organizations using Feripro to manage events, registrations, or participant data risk exposure of personally identifiable information (PII), which can lead to privacy breaches and potential legal consequences under data protection regulations such as GDPR. The vulnerability does not affect data integrity or system availability but compromises confidentiality significantly. Attackers can exploit this remotely without authentication or user interaction, increasing the likelihood of exploitation. This can facilitate further attacks such as social engineering, identity theft, or targeted phishing campaigns. The breach of trust and potential regulatory fines can have severe financial and reputational consequences for affected organizations worldwide.

Since no official patches are currently available, organizations should implement immediate compensating controls. These include restricting network access to the affected endpoint "/admin/programm/<program_id>/export/statistics" using firewalls or web application firewalls (WAFs) to allow only trusted administrative IP addresses. Implement strong authentication and authorization mechanisms around the export functionality, ensuring only authorized personnel can access it. Monitor access logs for unusual or unauthorized requests to this endpoint. If possible, disable the export feature temporarily until a patch is released. Conduct a thorough review of user permissions and audit trails related to data exports. Once a patch or update is released by Feripro, apply it promptly. Additionally, organizations should review their incident response plans to address potential data breaches resulting from this vulnerability.