CVE-2024-41518: n/a
CVE-2024-41518 is an Incorrect Access Control vulnerability in Feripro versions up to 2. 2. 3, specifically in the endpoint "/admin/programm/<program_id>/export/statistics". This flaw allows remote attackers to export XLSX files containing sensitive registration and participant information without authentication or user interaction. The vulnerability has a CVSS score of 7. 5, indicating high severity, due to its ease of exploitation over the network and the high confidentiality impact. Although no known exploits are currently reported in the wild, organizations using Feripro should consider this a serious risk. The vulnerability stems from improper enforcement of access controls (CWE-284), allowing unauthorized data disclosure. Mitigation requires applying patches once available or implementing strict access control measures around the affected endpoint. Countries with significant Feripro usage, especially in Europe and North America, are most at risk.
AI Analysis
Technical Summary
CVE-2024-41518 identifies an Incorrect Access Control vulnerability in the Feripro software, versions up to and including 2.2.3. The issue resides in the web endpoint "/admin/programm/<program_id>/export/statistics", which is intended to allow authorized administrators to export XLSX files containing statistics about registrations and participants in programs managed by Feripro. Due to improper access control checks, remote attackers can access this endpoint without authentication or privileges, enabling them to download sensitive participant data. This vulnerability is classified under CWE-284, indicating a failure to properly restrict access to resources. The CVSS v3.1 base score is 7.5, reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality significantly (C:H) but does not affect integrity or availability. The scope remains unchanged (S:U). No patches or exploit code are currently publicly available, but the vulnerability's nature makes it a high-risk issue for organizations using Feripro. The exposure of participant data can lead to privacy violations, regulatory non-compliance, and reputational damage.
Potential Impact
The primary impact of CVE-2024-41518 is unauthorized disclosure of sensitive registration and participant information. Organizations using Feripro to manage events, registrations, or participant data risk exposure of personally identifiable information (PII), which can lead to privacy breaches and potential legal consequences under data protection regulations such as GDPR. The vulnerability does not affect data integrity or system availability but compromises confidentiality significantly. Attackers can exploit this remotely without authentication or user interaction, increasing the likelihood of exploitation. This can facilitate further attacks such as social engineering, identity theft, or targeted phishing campaigns. The breach of trust and potential regulatory fines can have severe financial and reputational consequences for affected organizations worldwide.
Mitigation Recommendations
Since no official patches are currently available, organizations should implement immediate compensating controls. These include restricting network access to the affected endpoint "/admin/programm/<program_id>/export/statistics" using firewalls or web application firewalls (WAFs) to allow only trusted administrative IP addresses. Implement strong authentication and authorization mechanisms around the export functionality, ensuring only authorized personnel can access it. Monitor access logs for unusual or unauthorized requests to this endpoint. If possible, disable the export feature temporarily until a patch is released. Conduct a thorough review of user permissions and audit trails related to data exports. Once a patch or update is released by Feripro, apply it promptly. Additionally, organizations should review their incident response plans to address potential data breaches resulting from this vulnerability.
Affected Countries
Germany, United States, United Kingdom, France, Netherlands, Canada, Australia, Switzerland, Austria, Belgium
CVE-2024-41518: n/a
Description
CVE-2024-41518 is an Incorrect Access Control vulnerability in Feripro versions up to 2. 2. 3, specifically in the endpoint "/admin/programm/<program_id>/export/statistics". This flaw allows remote attackers to export XLSX files containing sensitive registration and participant information without authentication or user interaction. The vulnerability has a CVSS score of 7. 5, indicating high severity, due to its ease of exploitation over the network and the high confidentiality impact. Although no known exploits are currently reported in the wild, organizations using Feripro should consider this a serious risk. The vulnerability stems from improper enforcement of access controls (CWE-284), allowing unauthorized data disclosure. Mitigation requires applying patches once available or implementing strict access control measures around the affected endpoint. Countries with significant Feripro usage, especially in Europe and North America, are most at risk.
AI-Powered Analysis
Technical Analysis
CVE-2024-41518 identifies an Incorrect Access Control vulnerability in the Feripro software, versions up to and including 2.2.3. The issue resides in the web endpoint "/admin/programm/<program_id>/export/statistics", which is intended to allow authorized administrators to export XLSX files containing statistics about registrations and participants in programs managed by Feripro. Due to improper access control checks, remote attackers can access this endpoint without authentication or privileges, enabling them to download sensitive participant data. This vulnerability is classified under CWE-284, indicating a failure to properly restrict access to resources. The CVSS v3.1 base score is 7.5, reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality significantly (C:H) but does not affect integrity or availability. The scope remains unchanged (S:U). No patches or exploit code are currently publicly available, but the vulnerability's nature makes it a high-risk issue for organizations using Feripro. The exposure of participant data can lead to privacy violations, regulatory non-compliance, and reputational damage.
Potential Impact
The primary impact of CVE-2024-41518 is unauthorized disclosure of sensitive registration and participant information. Organizations using Feripro to manage events, registrations, or participant data risk exposure of personally identifiable information (PII), which can lead to privacy breaches and potential legal consequences under data protection regulations such as GDPR. The vulnerability does not affect data integrity or system availability but compromises confidentiality significantly. Attackers can exploit this remotely without authentication or user interaction, increasing the likelihood of exploitation. This can facilitate further attacks such as social engineering, identity theft, or targeted phishing campaigns. The breach of trust and potential regulatory fines can have severe financial and reputational consequences for affected organizations worldwide.
Mitigation Recommendations
Since no official patches are currently available, organizations should implement immediate compensating controls. These include restricting network access to the affected endpoint "/admin/programm/<program_id>/export/statistics" using firewalls or web application firewalls (WAFs) to allow only trusted administrative IP addresses. Implement strong authentication and authorization mechanisms around the export functionality, ensuring only authorized personnel can access it. Monitor access logs for unusual or unauthorized requests to this endpoint. If possible, disable the export feature temporarily until a patch is released. Conduct a thorough review of user permissions and audit trails related to data exports. Once a patch or update is released by Feripro, apply it promptly. Additionally, organizations should review their incident response plans to address potential data breaches resulting from this vulnerability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2024-07-18T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6cbbb7ef31ef0b5687db
Added to database: 2/25/2026, 9:42:19 PM
Last enriched: 2/26/2026, 7:07:44 AM
Last updated: 2/26/2026, 11:08:37 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk
HighCVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.