CVE-2024-50490 identifies a Missing Authorization vulnerability in the lowcage PegaPoll software, affecting versions up to and including 1.0.2. The core issue is that certain functionality within PegaPoll is not properly constrained by Access Control Lists (ACLs), allowing users to access features or data without the necessary permissions. This type of vulnerability typically occurs when the software fails to verify whether a user is authorized to perform specific actions, leading to unauthorized access. The vulnerability was reserved on October 24, 2024, and published on October 29, 2024, but no CVSS score or patches have yet been released. No known exploits have been detected in the wild, indicating that active exploitation is not currently observed. However, the risk remains significant because attackers could leverage this flaw to bypass security controls, potentially leading to unauthorized data access or manipulation. The affected product, PegaPoll by lowcage, is a polling or survey tool, which may be used in various organizational contexts for gathering feedback or votes. The lack of proper authorization checks could allow malicious actors to alter poll results, access sensitive polling data, or disrupt the polling process. Given the nature of the vulnerability, exploitation does not require authentication or user interaction, increasing the risk profile. The absence of patches necessitates immediate attention to alternative mitigations until official fixes are available.

The primary impact of CVE-2024-50490 is unauthorized access to restricted functionality within the PegaPoll application. This can lead to several adverse outcomes: manipulation of poll or survey results, exposure of sensitive or confidential polling data, disruption of polling operations, and potential reputational damage for organizations relying on the integrity of poll data. For organizations using PegaPoll in decision-making or public opinion gathering, this vulnerability undermines trust and data integrity. Additionally, if PegaPoll is integrated with other systems or databases, unauthorized access could serve as a pivot point for broader compromise. Although no exploits are currently known, the ease of exploitation due to missing authorization checks and lack of authentication requirements heightens the risk. The scope is limited to organizations using PegaPoll, but within that scope, the impact on confidentiality, integrity, and availability can be significant. This vulnerability could also be leveraged in targeted attacks against organizations where polling data is strategically important.

1. Monitor official channels from lowcage for patches or updates addressing CVE-2024-50490 and apply them immediately upon release. 2. Until patches are available, restrict access to PegaPoll instances to trusted internal networks and authenticated users only, using network segmentation and firewall rules. 3. Implement additional access control mechanisms at the network or application gateway level to enforce authorization policies externally. 4. Conduct thorough audits of user permissions and access logs to detect any unauthorized access attempts or suspicious activities related to PegaPoll. 5. If feasible, disable or limit the use of vulnerable functionality within PegaPoll until a fix is applied. 6. Educate administrators and users about the risk and encourage vigilance for unusual poll results or system behavior. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized access patterns targeting PegaPoll endpoints. 8. Review integration points with other systems to ensure that unauthorized access in PegaPoll does not cascade into broader system compromise.