CVE-2024-9324

A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20.
Configurations

Configuration 1 (hide)

cpe:2.3:a:intelbras:incontrol_web:*:*:*:*:*:*:*:*

History

04 Nov 2024, 19:15

Type Values Removed Values Added
CWE CWE-707
CWE-74
References
  • () https://backend.intelbras.com/sites/default/files/2024-10/Aviso%20de%20Seguran%C3%A7a%20-%20Incontrol%202.21.56%20e%202.21.57.pdf -
  • () https://download.cronos.intelbras.com.br/download/INCONTROL/INCONTROL-WEB/prod/INCONTROL-WEB-2.21.58-233dfd1ac1e2ca3eabb71c854005c78b.exe -
Summary (en) A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20. (en) A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20.

07 Oct 2024, 16:05

Type Values Removed Values Added
References () https://vuldb.com/?ctiid.278828 - () https://vuldb.com/?ctiid.278828 - Permissions Required
References () https://vuldb.com/?id.278828 - () https://vuldb.com/?id.278828 - Permissions Required
References () https://vuldb.com/?submit.375614 - () https://vuldb.com/?submit.375614 - Exploit, Third Party Advisory
References () https://youtu.be/UdZVktPUy8A - () https://youtu.be/UdZVktPUy8A - Broken Link
CVSS v2 : 6.5
v3 : 6.3
v2 : 6.5
v3 : 8.8
First Time Intelbras incontrol Web
Intelbras
CPE cpe:2.3:a:intelbras:incontrol_web:*:*:*:*:*:*:*:*

30 Sep 2024, 12:45

Type Values Removed Values Added
Summary
  • (es) Se ha detectado una vulnerabilidad en Intelbras InControl hasta la versión 2.21.57. Se ha calificado como crítica. Este problema afecta a algunas funciones desconocidas del archivo /v1/operador/ del componente Relatório de Operadores Page. La manipulación de los campos de argumentos conduce a la inyección de código. El ataque puede iniciarse de forma remota. El exploit se ha divulgado al público y puede utilizarse. El proveedor fue informado de este problema el 19 de julio de 2024. El lanzamiento de una versión corregida 2.21.58 se anunció para fines de agosto de 2024, pero luego se pospuso hasta el 20 de septiembre de 2024.

29 Sep 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-29 07:15

Updated : 2024-11-04 19:15


NVD link : CVE-2024-9324

Mitre link : CVE-2024-9324

CVE.ORG link : CVE-2024-9324


JSON object : View

Products Affected

intelbras

  • incontrol_web
CWE
CWE-707

Improper Neutralization

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')