CVE-2024-57698 is a high-severity vulnerability affecting modernwms version 1.0, where an unauthenticated attacker can access sensitive information by querying the /user/list?culture=en-us endpoint. Specifically, this endpoint exposes the MD5 hash of the administrator password along with other user attributes without requiring any authentication or authorization. This excessive information disclosure stems from insufficient access control mechanisms protecting this endpoint. Since the MD5 hash of the administrator password is exposed, an attacker can attempt offline brute-force or dictionary attacks to recover the plaintext password, potentially gaining administrative access. The vulnerability persists even after initial configuration and password changes, indicating a fundamental design flaw in access control enforcement. The CVSS 3.1 base score is 7.5 (high), reflecting that the vulnerability is remotely exploitable over the network without privileges or user interaction, and it impacts confidentiality significantly, though integrity and availability remain unaffected. The weakness is classified under CWE-281 (Improper Authentication), highlighting the failure to restrict access to sensitive information endpoints. No patches or vendor mitigations are currently listed, and no known exploits are reported in the wild as of the publication date (April 29, 2025).

For European organizations using modernwms v1.0, this vulnerability poses a serious risk to the confidentiality of administrator credentials. If exploited, attackers could recover administrator passwords, leading to unauthorized access to the system's management interface. This can result in further compromise of the warehouse management system, manipulation of inventory data, disruption of supply chain operations, and potential leakage of sensitive business information. Given the critical role of warehouse management systems in logistics and manufacturing sectors, exploitation could cause operational disruptions and financial losses. Additionally, unauthorized access may facilitate lateral movement within corporate networks, increasing the risk of broader compromise. The exposure of password hashes without authentication also undermines trust in the system's security posture and may violate compliance requirements under regulations such as GDPR, especially if personal data is indirectly affected. The lack of known exploits currently limits immediate widespread impact, but the vulnerability's ease of exploitation and high confidentiality impact warrant urgent attention.

Organizations should immediately audit their deployment of modernwms v1.0 to identify exposure of the /user/list?culture=en-us endpoint. As no official patches are currently available, mitigation should focus on restricting access to this endpoint through network-level controls such as firewall rules or web application firewalls (WAF) to block unauthenticated requests. Implementing strict access control policies to require authentication and authorization before accessing user-related endpoints is critical. Administrators should consider changing passwords to strong, complex values and monitoring for unusual access patterns or brute-force attempts. If possible, disable or restrict the vulnerable endpoint until a vendor patch is released. Additionally, organizations should conduct internal penetration testing to verify that no other endpoints expose sensitive information without authentication. Finally, maintain vigilant monitoring and logging to detect potential exploitation attempts and prepare incident response plans accordingly.