CVE-2026-3321 in ON24 Q&A Chat
요약 (영어)
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
책임이 있는
INCIBE
예약하다
2026. 02. 27.
공개
2026. 03. 30.
엔트리
VulDB provides additional information and datapoints for this CVE:
| 아이디 | 취약성 | CWE | 악용 | 대책 | CVE |
|---|---|---|---|---|---|
| 354190 | ON24 Q&A Chat History answer 권한 상승 | 639 | 정의되지 않음 | 정의되지 않음 | CVE-2026-3321 |