CVE-2024-51992

MEDIUM EPSS 24.0%
Published Nov 11, 20241y ago · Modified Jun 17, 20262w ago
4.1 CVSS 3.1
Medium
Find Similar
Published Nov 11, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Orchid is a @laravel package that allows for rapid application development of back-office applications, admin/user panels, and dashboards. This vulnerability is a method exposure issue (CWE-749: Exposed Dangerous Method or Function) in the Orchid Platform’s asynchronous modal functionality, affecting users of Orchid Platform version 8 through 14.42.x. Attackers could exploit this vulnerability to call arbitrary methods within the `Screen` class, leading to potential brute force of database tables, validation checks against user credentials, and disclosure of the server’s real IP address. The issue has been patched in the latest release, version 14.43.0, released on November 6, 2024. Users should upgrade to version 14.43.0 or later to address this vulnerability. If upgrading to version 14.43.0 is not immediately possible, users can mitigate the vulnerability by implementing middleware to intercept and validate requests to asynchronous modal endpoints, allowing only approved methods and parameters.

CVSS Details

Base Score
4.1
Exploitability
2.3
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
24.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-749

References 1

  • github.com https://github.com/orchidsoftware/platform/security/advisories/GHSA-cm46-gqf4-mv4f

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.