CVE-2024-46635 is a vulnerability identified in the INROAD software prior to version 202402060, specifically affecting the API endpoint /AccountMaster/GetCurrentUserInfo. The flaw arises from insufficient validation or improper restriction of the UserNameOrPhoneNumber parameter, allowing attackers to craft payloads that bypass intended access controls. This vulnerability is categorized under CWE-922, which involves improper restriction of operations within the API, leading to unauthorized access to sensitive user information. The attack vector is local (AV:L), meaning the attacker must have some level of local network or system access, but no privileges (PR:N) or user interaction (UI:N) are required. The CVSS v3.1 base score is 5.9, reflecting a medium severity with partial impact on confidentiality, integrity, and availability. While no public exploits have been reported, the vulnerability could be leveraged to gather sensitive user data, potentially enabling further attacks or data leakage. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for monitoring vendor advisories and applying updates promptly once released.

The vulnerability allows unauthorized access to sensitive user information, which can compromise confidentiality by exposing personal or organizational data. Integrity and availability impacts are rated low to medium but still present, as attackers might manipulate or disrupt API responses. For organizations, this could lead to data breaches, loss of customer trust, regulatory penalties, and potential lateral movement within networks if attackers leverage the information for further exploitation. The requirement for local access limits the attack scope but does not eliminate risk, especially in environments with weak internal network segmentation or insider threats. Industries relying heavily on INROAD for user management or authentication services, such as finance, healthcare, and government, could face significant operational and reputational damage if exploited.

Organizations should immediately review access controls and network segmentation to limit local access to the vulnerable API endpoint. Monitoring and logging API requests to detect anomalous payloads targeting UserNameOrPhoneNumber parameters can help identify exploitation attempts. Until a patch is available, consider implementing Web Application Firewall (WAF) rules to block suspicious payloads or restrict access to the /AccountMaster/GetCurrentUserInfo endpoint to trusted IP ranges. Conduct thorough audits of user data exposure and enforce the principle of least privilege for internal network users. Once the vendor releases a patch, prioritize its deployment in all affected environments. Additionally, educate internal teams about the risks of local network threats and enforce strong internal security policies to reduce the likelihood of exploitation.