CVE-2024-53855
CVE-2024-53855 is a low-severity vulnerability in Nofusscomputing Centurion Erp with a CVSS 3.x base score of 1.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-653.
Key facts
- Severity: Low (CVSS 3.x base score 1.9)
- EPSS exploit prediction: 0% (35th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-52176
- Weakness: CWE-653
- Affected product: Nofusscomputing Centurion Erp
- Published:
- Last modified:
Description
Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
Frequently asked questions
- What is CVE-2024-53855?
- Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
- How severe is CVE-2024-53855?
- CVE-2024-53855 has a CVSS 3.x base score of 1.9, rated low severity. It is exploitable over physical access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2024-53855 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-53855?
- CVE-2024-53855 affects Nofusscomputing Centurion Erp. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-53855?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-53855 have an EU (EUVD) identifier?
- Yes. CVE-2024-53855 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-52176.
- When was CVE-2024-53855 published?
- CVE-2024-53855 was published on 2024-11-27 and last updated on 2026-06-17.
References
- https://github.com/nofusscomputing/centurion_erp/pull/399
- https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0
- https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1
- https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c
Affected products (1)
- cpe:2.3:a:nofusscomputing:centurion_erp:*:*:*:*:*:*:*:*
More vulnerabilities in Nofusscomputing Centurion Erp
- CVE-2024-49373 — Medium (CVSS 4.1): No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an…
- CVE-2025-58156 — Low (CVSS 1.9): Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an…
All CVEs affecting Nofusscomputing Centurion Erp →
Other CWE-653 vulnerabilities
- CVE-2026-4692 — Critical (CVSS 10.0): Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR…
- CVE-2025-1974 — Critical (CVSS 9.8): A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access…
- CVE-2024-33768 — Critical (CVSS 9.8): lunasvg v2.3.9 was discovered to contain a segmentation violation via the component composition_solid_source_over.
- CVE-2026-0542 — Critical (CVSS 9.2): ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This…
- CVE-2025-4083 — Critical (CVSS 9.1): A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow…
- CVE-2025-5476 — High (CVSS 8.8): Sony XAV-AX8500 Bluetooth Improper Isolation Authentication Bypass Vulnerability. This vulnerability allows…