CVE-2024-11071: Improper Access Control In DestinyECM
Description
Permissive Cross-domain Policy with Untrusted Domains vulnerability in local API server of DestinyECM solution(versions described below) which is developed and maintained by Cyberdigm may allow Cross-Site Request Forgery (CSRF) attack, which probabilistically enables JSON Hijacking (aka JavaScript Hijacking) via forgery web page.* Due to product customization, version information may differ from the following version description. For further inquiries, please contact the vendor.
Classification
CVE ID: CVE-2024-11071
CVSS Base Severity: HIGH
CVSS Base Score: 7.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
Problem Types
CWE-352 Cross-Site Request Forgery (CSRF) CWE-942 Permissive Cross-domain Policy with Untrusted DomainsAffected Products
Vendor: Cyberdigm
Product: DestinyECM
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 3.36% (scored less or equal to compared to others)
EPSS Date: 2025-05-06 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-11071https://cyberdigm.co.kr/destinyEcm