CVE-2024-53855

CVE-2024-53855 is a low-severity vulnerability in Nofusscomputing Centurion Erp with a CVSS 3.x base score of 1.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-653.

Key facts

Description

Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.

Frequently asked questions

What is CVE-2024-53855?
Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
How severe is CVE-2024-53855?
CVE-2024-53855 has a CVSS 3.x base score of 1.9, rated low severity. It is exploitable over physical access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2024-53855 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-53855?
CVE-2024-53855 affects Nofusscomputing Centurion Erp. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-53855?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-53855 have an EU (EUVD) identifier?
Yes. CVE-2024-53855 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-52176.
When was CVE-2024-53855 published?
CVE-2024-53855 was published on 2024-11-27 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Nofusscomputing Centurion Erp

All CVEs affecting Nofusscomputing Centurion Erp →

Other CWE-653 vulnerabilities

Browse all CWE-653 vulnerabilities →