CVE-2024-45877 identifies an Incorrect Access Control vulnerability in the User Management functionality of baltic-it TOPqw Webportal version 1.35.283.2, specifically in the /Apps/TOPqw/BenutzerManagement.aspx page. This vulnerability allows a low privileged authenticated user to bypass intended access restrictions and gain unauthorized access to all modules within the web portal. Exploitation enables the attacker to view and manipulate other users' information and permissions, lock other user accounts, unlock their own account, change passwords of other users, create new user accounts, delete existing users, and modify or delete reference data. The vulnerability arises due to improper enforcement of access control checks (classified under CWE-863), allowing privilege escalation within the application. The CVSS v3.1 base score is 6.5, reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting integrity but not confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability poses a significant risk to organizations relying on this web portal for user and data management, as it can lead to unauthorized administrative control and data manipulation.

The primary impact of CVE-2024-45877 is unauthorized privilege escalation within the baltic-it TOPqw Webportal, allowing low privileged users to gain administrative capabilities. This can lead to unauthorized access and manipulation of sensitive user data, including changing passwords, locking/unlocking accounts, and modifying user permissions, which compromises the integrity of the system. The ability to create or delete users and alter reference data can disrupt normal operations and potentially facilitate further attacks or insider threats. Although availability is not directly affected, the integrity violations can cause significant operational disruptions and loss of trust in the system. Organizations worldwide using this portal risk insider abuse, data tampering, and unauthorized administrative control, which could lead to compliance violations, data breaches, and operational downtime.

To mitigate CVE-2024-45877, organizations should immediately restrict access to the User Management module to only fully trusted administrators until a patch is available. Implement additional access control checks at the application and network layers, such as web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts to BenutzerManagement.aspx. Conduct thorough audits of user permissions and monitor logs for suspicious activities related to user management functions. Employ multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials being exploited. If possible, isolate the web portal in a segmented network zone with strict access controls. Engage with baltic-it for official patches or updates and apply them promptly once released. Additionally, conduct regular security assessments and penetration tests focusing on access control mechanisms to detect similar vulnerabilities proactively.