CRITICAL🇵🇱 Wersja polska

CVE-2024-0949

CVSS 9.8v3.1pub. 2024-06-27upd. 2026-06-03

Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68.

🤖 AI Analysis
How it works

The vulnerability involves three related weaknesses (CWE-306, CWE-552, CWE-798): lack of user identity verification before access to protected resources, possibility of direct access to files or directories by external users, and presence of hardcoded credentials embedded in the application. The combination of these three vectors allows an attacker to bypass authentication mechanisms without knowledge of correct access credentials. The attack is possible remotely over the network, requires no privileges and no user interaction.

Impact

An attacker can obtain unauthorized, full access to the Elektraweb system, leading to violations of data confidentiality, integrity, and availability (CVSS score: C:H/I:H/A:H). In practice, this means the ability to read, modify, or delete data managed by the system.

Mitigation & patch

Immediately update the Elektraweb system to version v17.0.68 or later. Until the patch is deployed, it is recommended to restrict network access to the system exclusively to trusted internal networks or apply firewall rules blocking external access.

Who is affected

Talya Informatics Elektraweb — all versions before v17.0.68

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References