{"id":65750,"date":"2025-08-29T08:54:23","date_gmt":"2025-08-29T08:54:23","guid":{"rendered":""},"modified":"2025-09-10T13:07:59","modified_gmt":"2025-09-10T19:07:59","slug":"cve-2024-50644-authentication-bypass-vulnerability-in-zhisheng17-blog-3-0-1-snapshot","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2024-50644-authentication-bypass-vulnerability-in-zhisheng17-blog-3-0-1-snapshot\/","title":{"rendered":"<strong>CVE-2024-50644: Authentication Bypass Vulnerability in zhisheng17 blog 3.0.1-SNAPSHOT<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The vulnerability CVE-2024-50644 represents a significant security flaw in zhisheng17 blog 3.0.1-SNAPSHOT. This vulnerability allows an attacker to access the application&#8217;s API without any required authentication token, thereby bypassing the built-in security measures. This flaw could <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-30327-integer-overflow-vulnerability-in-incopy-leading-to-potential-arbitrary-code-execution\/\"  data-wpil-monitor-id=\"73736\">potentially lead<\/a> to system compromise or data leakage, posing a significant threat to any organization utilizing this software. The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-53546-high-severity-vulnerability-in-folo-s-github-workflow\/\"  data-wpil-monitor-id=\"73381\">severity of this vulnerability<\/a> is underlined by its CVSS Severity Score of 9.8, indicating its critical status.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2024-50644<br \/>\nSeverity: Critical (CVSS: 9.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-21432-memory-corruption-vulnerability-resulting-in-potential-system-compromise-or-data-leakage\/\"  data-wpil-monitor-id=\"77274\">System compromise or data<\/a> leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-2730308506\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>zhisheng17 blog | 3.0.1-SNAPSHOT<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The exploit leverages a flaw in the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-55306-critical-api-key-and-authentication-token-exposure-in-genx-fx-trading-platform\/\"  data-wpil-monitor-id=\"81361\">API authentication<\/a> process of the zhisheng17 blog 3.0.1-SNAPSHOT. The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-44957-ruckus-smartzone-authentication-bypass-vulnerability\/\"  data-wpil-monitor-id=\"74026\">authentication bypass<\/a> vulnerability occurs when the application fails to properly validate the required authentication tokens. This <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-47168-use-after-free-vulnerability-in-microsoft-office-word-allowing-unauthorized-code-execution\/\"  data-wpil-monitor-id=\"73213\">allows an attacker to make unauthorized<\/a> API requests without any credentials, thereby gaining unauthorized access to potentially sensitive data and even compromising the affected system.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-2746028967\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Below is a conceptual example of how an attacker might exploit the vulnerability.<\/p>\n<pre><code class=\"\" data-line=\"\">GET \/api\/v1\/users HTTP\/1.1\nHost: target.example.com\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)\nAccept: application\/json<\/code><\/pre>\n<p>In this pseudo code, the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-9408-server-side-request-forgery-attack-in-eclipse-glassfish\/\"  data-wpil-monitor-id=\"77273\">attacker sends a GET request<\/a> to the `\/api\/v1\/users` endpoint of the affected zhisheng17 blog application, which should normally require an authentication token. However, due to the flaw, the request is processed without validating the token, providing the attacker with unauthorized <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-43220-unprecedented-data-access-vulnerability-in-multiple-macos-and-ipados-versions\/\"  data-wpil-monitor-id=\"73215\">access to the data<\/a>.<\/p>\n<p><strong>Mitigation and Recommendations<\/strong><\/p>\n<p>To mitigate this vulnerability, it is strongly recommended to apply the vendor&#8217;s patch as soon as it is available. In the interim, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) should be used to detect and prevent unauthorized API requests. Additionally, regular security audits should be carried out to ensure the integrity of the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-54788-sql-injection-vulnerability-in-suitecrm-leading-to-potential-system-compromise-or-data-leakage\/\"  data-wpil-monitor-id=\"80214\">system and data<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The vulnerability CVE-2024-50644 represents a significant security flaw in zhisheng17 blog 3.0.1-SNAPSHOT. This vulnerability allows an attacker to access the application&#8217;s API without any required authentication token, thereby bypassing the built-in security measures. This flaw could potentially lead to system compromise or data leakage, posing a significant threat to any organization utilizing this software. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[82],"product":[],"attack_vector":[75],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-65750","post","type-post","status-publish","format-standard","hentry","category-uncategorized","vendor-microsoft","attack_vector-authentication-bypass"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/65750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=65750"}],"version-history":[{"count":8,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/65750\/revisions"}],"predecessor-version":[{"id":73810,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/65750\/revisions\/73810"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=65750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=65750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=65750"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=65750"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=65750"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=65750"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=65750"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=65750"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=65750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}