CVE-2024-8585

{"id": "CVE-2024-8585", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-09-09T03:15:10.013", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-8042-f9f26-2.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-8041-dfbf9-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files."}, {"lang": "es", "value": "Orca HCM de LEARNING DIGITA no restringe adecuadamente un par\u00e1metro espec\u00edfico de la funcionalidad de descarga de archivos, lo que permite que un atacante remoto con privilegios regulares descargue archivos de sistema arbitrarios."}], "lastModified": "2024-09-11T15:53:35.693", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:learningdigital:orca_hcm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C124B76-9742-4EC2-93D5-B34039A6159E", "versionEndExcluding": "11.0"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}