cbcvebase.
CVE-2024-46310
published 2025-01-13

CVE-2024-46310: Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint

PriorityP269critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
2.39%
81.9th percentile
Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint

Detection & IOCsextracted from sources · hover to see the quote

url/players.json
  • ·The vulnerable endpoint is unauthenticated and exposed by default on FXServer v9601 and earlier; no credentials or session tokens are required to trigger the information disclosure.
  • ·The Nuclei template is marked max-request: 1, meaning a single HTTP GET to /players.json is sufficient to confirm exploitation; no multi-step interaction is needed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.