CVE-2024-50671 is a medium-severity vulnerability affecting Adapt Learning's Adapt Authoring Tool versions up to 0.11.3. The root cause is an incorrect access control mechanism tied to the permission verification logic, specifically involving the use of a wildcard character in permitted URLs. This wildcard inadvertently grants authenticated users with standard roles access to API endpoints intended only for Super Admin users. Exploiting this flaw, an attacker can leverage the 'Get users' feature to retrieve email addresses of all users registered in the system. The vulnerability does not require user interaction and can be exploited remotely over the network by any authenticated user, making it a privilege escalation of sorts within the application. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and limited confidentiality impact. No integrity or availability impacts are reported. The flaw is categorized under CWE-863 (Incorrect Authorization). There are no known public exploits or patches currently available, so mitigation relies on configuration and monitoring until a fix is released.

The primary impact of this vulnerability is the unauthorized disclosure of user email addresses, which compromises user privacy and confidentiality. While it does not directly affect data integrity or system availability, the exposure of email addresses can facilitate targeted phishing, social engineering attacks, or further reconnaissance by adversaries. Organizations using the Adapt Authoring Tool may face reputational damage and potential regulatory compliance issues related to data privacy laws such as GDPR or CCPA. Since exploitation requires authenticated access, the threat is limited to insiders or attackers who have obtained user credentials. However, given that email addresses are often used as identifiers and communication channels, their exposure can be leveraged in multi-stage attacks. The lack of known exploits in the wild reduces immediate risk, but the vulnerability remains a concern until remediated.

1. Immediately audit and restrict user permissions in the Adapt Authoring Tool to the minimum necessary, especially limiting access to the 'Get users' feature to trusted roles only. 2. Implement strict role-based access control (RBAC) policies and review the use of wildcard characters in URL permission configurations to prevent unintended access. 3. Monitor application logs for unusual access patterns to user data endpoints, particularly requests to 'Get users' from non-privileged accounts. 4. Educate users about credential security to reduce the risk of unauthorized authenticated access. 5. If possible, isolate the Adapt Authoring Tool behind additional access controls such as VPNs or IP whitelisting to reduce exposure. 6. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 7. Consider implementing additional application-layer protections such as Web Application Firewalls (WAFs) to detect and block suspicious API calls related to user enumeration.