CVE-2024-3676

EUVD-2024-32251
The Proofpoint Encryption endpoint of Proofpoint Enterprise Protection contains an Improper Input Validation vulnerability that allows an unauthenticated remote attacker with a specially crafted HTTP request to create additional Encryption user accounts under the attacker's control.  These accounts are able to send spoofed email to any users within the domains configured by the Administrator.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
proofpointenterprise_protection
8.18.6 ≤
𝑥
< patch_4868
ADP
proofpointenterprise_protection
8.20.0 ≤
𝑥
< patch_4869
ADP
proofpointenterprise_protection
8.20.2 ≤
𝑥
< patch_4870
ADP
prootpointenterprise_protection
8.20.4 ≤
𝑥
< patch_4871
ADP
prootpointenterprise_protection
8.21.0 ≤
𝑥
< patch_4872
ADP
Common Weakness Enumeration
References
https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2024-0002
https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2024-0002