CVE-2024-55058 is an insecure direct object reference (IDOR) vulnerability identified in PHPGurukul Online Birth Certificate System version 1.0. The vulnerability exists in the viewid parameter of the /user/view-application-detail.php page, which is used to retrieve birth certificate application details. Authenticated users can exploit this flaw by modifying the viewid parameter in the URL to access other users' birth certificate information without proper authorization checks. This indicates a failure in enforcing access control, allowing unauthorized data disclosure. The vulnerability is classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference). The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L), with no integrity or availability impact. No patches or known exploits are currently available or reported. The vulnerability primarily threatens the confidentiality of sensitive personal data, specifically birth certificate details, which can be exploited by authenticated users to harvest personal information of others. This can lead to privacy violations, identity theft risks, and potential misuse of sensitive government-issued documents. The flaw underscores the importance of implementing robust authorization checks on all user-supplied parameters that reference sensitive resources.

The primary impact of CVE-2024-55058 is unauthorized disclosure of sensitive personal information, specifically birth certificate details. This can lead to privacy breaches and facilitate identity theft or fraud. Organizations operating the affected PHPGurukul Online Birth Certificate System risk reputational damage, legal consequences under data protection regulations, and loss of public trust. Since the vulnerability requires authentication but no user interaction, insider threats or compromised user accounts can be leveraged to exploit this flaw. The scope is limited to confidentiality; integrity and availability are not affected. Although no known exploits exist in the wild, the ease of exploitation due to low complexity and network accessibility means attackers with valid credentials can readily abuse this vulnerability. The impact is especially critical for government agencies and registries managing vital records, where data confidentiality is paramount.

1. Implement strict server-side authorization checks to validate that the authenticated user is authorized to access the requested viewid resource before returning any data. 2. Employ access control mechanisms such as role-based access control (RBAC) or attribute-based access control (ABAC) to enforce least privilege principles. 3. Avoid relying solely on user-supplied identifiers in URLs for sensitive data retrieval; consider using opaque tokens or session-based references. 4. Conduct thorough code reviews and security testing focusing on IDOR and access control vulnerabilities. 5. Monitor logs for suspicious access patterns indicating attempts to enumerate or access unauthorized records. 6. If possible, apply patches or updates from the vendor once available. 7. Educate users about the importance of safeguarding credentials to prevent exploitation by unauthorized parties. 8. Consider implementing rate limiting or anomaly detection to detect and block automated attempts to exploit this vulnerability.