CVE-2024-22179

The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02

Configurations

No configuration.

History

21 Nov 2024, 08:55

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 -

28 May 2024, 17:15

Type	Values Removed	Values Added
Summary	(en) The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.	(en) The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.

19 Apr 2024, 13:10

Type	Values Removed	Values Added
Summary		(es) La aplicación es vulnerable a una manipulación de parámetros no autenticados que permite a un atacante dejar las credenciales en blanco, dándole acceso al panel de administración. También vulnerable a la apropiación de cuentas y al cambio arbitrario de contraseña.

18 Apr 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-18 22:15

Updated : 2024-11-21 08:55

NVD link : CVE-2024-22179

Mitre link : CVE-2024-22179

CVE.ORG link : CVE-2024-22179

JSON object : View

Products Affected

No product.

CWE

CWE-302

Authentication Bypass by Assumed-Immutable Data

{"id": "CVE-2024-22179", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.7, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-04-18T22:15:09.850", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-302"}]}], "descriptions": [{"lang": "en", "value": "The application is vulnerable to an unauthenticated parameter \nmanipulation that allows an attacker to set the credentials to blank \ngiving her access to the admin panel. Also vulnerable to account \ntakeover and arbitrary password change."}, {"lang": "es", "value": "La aplicaci\u00f3n es vulnerable a una manipulaci\u00f3n de par\u00e1metros no autenticados que permite a un atacante dejar las credenciales en blanco, d\u00e1ndole acceso al panel de administraci\u00f3n. Tambi\u00e9n vulnerable a la apropiaci\u00f3n de cuentas y al cambio arbitrario de contrase\u00f1a."}], "lastModified": "2024-11-21T08:55:44.090", "sourceIdentifier": "ics-cert@hq.dhs.gov"}