CVE-2024-9324 (GCVE-0-2024-9324)
Vulnerability from cvelistv5 – Published: 2024-09-29 07:00 – Updated: 2024-11-04 19:13
VLAI?
Title
Intelbras InControl Relatório de Operadores Page operador code injection
Summary
A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20.
Severity ?
6.3 (Medium)
6.3 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intelbras | InControl |
Affected:
2.21.0
Affected: 2.21.1 Affected: 2.21.2 Affected: 2.21.3 Affected: 2.21.4 Affected: 2.21.5 Affected: 2.21.6 Affected: 2.21.7 Affected: 2.21.8 Affected: 2.21.9 Affected: 2.21.10 Affected: 2.21.11 Affected: 2.21.12 Affected: 2.21.13 Affected: 2.21.14 Affected: 2.21.15 Affected: 2.21.16 Affected: 2.21.17 Affected: 2.21.18 Affected: 2.21.19 Affected: 2.21.20 Affected: 2.21.21 Affected: 2.21.22 Affected: 2.21.23 Affected: 2.21.24 Affected: 2.21.25 Affected: 2.21.26 Affected: 2.21.27 Affected: 2.21.28 Affected: 2.21.29 Affected: 2.21.30 Affected: 2.21.31 Affected: 2.21.32 Affected: 2.21.33 Affected: 2.21.34 Affected: 2.21.35 Affected: 2.21.36 Affected: 2.21.37 Affected: 2.21.38 Affected: 2.21.39 Affected: 2.21.40 Affected: 2.21.41 Affected: 2.21.42 Affected: 2.21.43 Affected: 2.21.44 Affected: 2.21.45 Affected: 2.21.46 Affected: 2.21.47 Affected: 2.21.48 Affected: 2.21.49 Affected: 2.21.50 Affected: 2.21.51 Affected: 2.21.52 Affected: 2.21.53 Affected: 2.21.54 Affected: 2.21.55 Affected: 2.21.56 Affected: 2.21.57 |
Credits
Stux (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T19:19:49.189731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T19:20:23.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Relat\u00f3rio de Operadores Page"
],
"product": "InControl",
"vendor": "Intelbras",
"versions": [
{
"status": "affected",
"version": "2.21.0"
},
{
"status": "affected",
"version": "2.21.1"
},
{
"status": "affected",
"version": "2.21.2"
},
{
"status": "affected",
"version": "2.21.3"
},
{
"status": "affected",
"version": "2.21.4"
},
{
"status": "affected",
"version": "2.21.5"
},
{
"status": "affected",
"version": "2.21.6"
},
{
"status": "affected",
"version": "2.21.7"
},
{
"status": "affected",
"version": "2.21.8"
},
{
"status": "affected",
"version": "2.21.9"
},
{
"status": "affected",
"version": "2.21.10"
},
{
"status": "affected",
"version": "2.21.11"
},
{
"status": "affected",
"version": "2.21.12"
},
{
"status": "affected",
"version": "2.21.13"
},
{
"status": "affected",
"version": "2.21.14"
},
{
"status": "affected",
"version": "2.21.15"
},
{
"status": "affected",
"version": "2.21.16"
},
{
"status": "affected",
"version": "2.21.17"
},
{
"status": "affected",
"version": "2.21.18"
},
{
"status": "affected",
"version": "2.21.19"
},
{
"status": "affected",
"version": "2.21.20"
},
{
"status": "affected",
"version": "2.21.21"
},
{
"status": "affected",
"version": "2.21.22"
},
{
"status": "affected",
"version": "2.21.23"
},
{
"status": "affected",
"version": "2.21.24"
},
{
"status": "affected",
"version": "2.21.25"
},
{
"status": "affected",
"version": "2.21.26"
},
{
"status": "affected",
"version": "2.21.27"
},
{
"status": "affected",
"version": "2.21.28"
},
{
"status": "affected",
"version": "2.21.29"
},
{
"status": "affected",
"version": "2.21.30"
},
{
"status": "affected",
"version": "2.21.31"
},
{
"status": "affected",
"version": "2.21.32"
},
{
"status": "affected",
"version": "2.21.33"
},
{
"status": "affected",
"version": "2.21.34"
},
{
"status": "affected",
"version": "2.21.35"
},
{
"status": "affected",
"version": "2.21.36"
},
{
"status": "affected",
"version": "2.21.37"
},
{
"status": "affected",
"version": "2.21.38"
},
{
"status": "affected",
"version": "2.21.39"
},
{
"status": "affected",
"version": "2.21.40"
},
{
"status": "affected",
"version": "2.21.41"
},
{
"status": "affected",
"version": "2.21.42"
},
{
"status": "affected",
"version": "2.21.43"
},
{
"status": "affected",
"version": "2.21.44"
},
{
"status": "affected",
"version": "2.21.45"
},
{
"status": "affected",
"version": "2.21.46"
},
{
"status": "affected",
"version": "2.21.47"
},
{
"status": "affected",
"version": "2.21.48"
},
{
"status": "affected",
"version": "2.21.49"
},
{
"status": "affected",
"version": "2.21.50"
},
{
"status": "affected",
"version": "2.21.51"
},
{
"status": "affected",
"version": "2.21.52"
},
{
"status": "affected",
"version": "2.21.53"
},
{
"status": "affected",
"version": "2.21.54"
},
{
"status": "affected",
"version": "2.21.55"
},
{
"status": "affected",
"version": "2.21.56"
},
{
"status": "affected",
"version": "2.21.57"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stux (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relat\u00f3rio de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in Intelbras InControl bis 2.21.57 ausgemacht. Betroffen davon ist ein unbekannter Prozess der Datei /v1/operador/ der Komponente Relat\u00f3rio de Operadores Page. Dank der Manipulation des Arguments fields mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 2.21.58 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "Improper Neutralization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T19:13:08.178Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-278828 | Intelbras InControl Relat\u00f3rio de Operadores Page operador code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.278828"
},
{
"name": "VDB-278828 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.278828"
},
{
"name": "Submit #375614 | Intelbras InControl 2.21.57 (last version) Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.375614"
},
{
"tags": [
"media-coverage"
],
"url": "https://youtu.be/UdZVktPUy8A"
},
{
"tags": [
"related"
],
"url": "https://backend.intelbras.com/sites/default/files/2024-10/Aviso%20de%20Seguran%C3%A7a%20-%20Incontrol%202.21.56%20e%202.21.57.pdf"
},
{
"tags": [
"patch"
],
"url": "https://download.cronos.intelbras.com.br/download/INCONTROL/INCONTROL-WEB/prod/INCONTROL-WEB-2.21.58-233dfd1ac1e2ca3eabb71c854005c78b.exe"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-09-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-04T20:16:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "Intelbras InControl Relat\u00f3rio de Operadores Page operador code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-9324",
"datePublished": "2024-09-29T07:00:05.883Z",
"dateReserved": "2024-09-28T13:28:09.234Z",
"dateUpdated": "2024-11-04T19:13:08.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-9324\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-30T19:19:49.189731Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-30T19:20:14.642Z\"}}], \"cna\": {\"title\": \"Intelbras InControl Relat\\u00f3rio de Operadores Page operador code injection\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Stux (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 6.5, \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\"}}], \"affected\": [{\"vendor\": \"Intelbras\", \"modules\": [\"Relat\\u00f3rio de Operadores Page\"], \"product\": \"InControl\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.21.0\"}, {\"status\": \"affected\", \"version\": \"2.21.1\"}, {\"status\": \"affected\", \"version\": \"2.21.2\"}, {\"status\": \"affected\", \"version\": \"2.21.3\"}, {\"status\": \"affected\", \"version\": \"2.21.4\"}, {\"status\": \"affected\", \"version\": \"2.21.5\"}, {\"status\": \"affected\", \"version\": \"2.21.6\"}, {\"status\": \"affected\", \"version\": \"2.21.7\"}, {\"status\": \"affected\", \"version\": \"2.21.8\"}, {\"status\": \"affected\", \"version\": \"2.21.9\"}, {\"status\": \"affected\", \"version\": \"2.21.10\"}, {\"status\": \"affected\", \"version\": \"2.21.11\"}, {\"status\": \"affected\", \"version\": \"2.21.12\"}, {\"status\": \"affected\", \"version\": \"2.21.13\"}, {\"status\": \"affected\", \"version\": \"2.21.14\"}, {\"status\": \"affected\", \"version\": \"2.21.15\"}, {\"status\": \"affected\", \"version\": \"2.21.16\"}, {\"status\": \"affected\", \"version\": \"2.21.17\"}, {\"status\": \"affected\", \"version\": \"2.21.18\"}, {\"status\": \"affected\", \"version\": \"2.21.19\"}, {\"status\": \"affected\", \"version\": \"2.21.20\"}, {\"status\": \"affected\", \"version\": \"2.21.21\"}, {\"status\": \"affected\", \"version\": \"2.21.22\"}, {\"status\": \"affected\", \"version\": \"2.21.23\"}, {\"status\": \"affected\", \"version\": \"2.21.24\"}, {\"status\": \"affected\", \"version\": \"2.21.25\"}, {\"status\": \"affected\", \"version\": \"2.21.26\"}, {\"status\": \"affected\", \"version\": \"2.21.27\"}, {\"status\": \"affected\", \"version\": \"2.21.28\"}, {\"status\": \"affected\", \"version\": \"2.21.29\"}, {\"status\": \"affected\", \"version\": \"2.21.30\"}, {\"status\": \"affected\", \"version\": \"2.21.31\"}, {\"status\": \"affected\", \"version\": \"2.21.32\"}, {\"status\": \"affected\", \"version\": \"2.21.33\"}, {\"status\": \"affected\", \"version\": \"2.21.34\"}, {\"status\": \"affected\", \"version\": \"2.21.35\"}, {\"status\": \"affected\", \"version\": \"2.21.36\"}, {\"status\": \"affected\", \"version\": \"2.21.37\"}, {\"status\": \"affected\", \"version\": \"2.21.38\"}, {\"status\": \"affected\", \"version\": \"2.21.39\"}, {\"status\": \"affected\", \"version\": \"2.21.40\"}, {\"status\": \"affected\", \"version\": \"2.21.41\"}, {\"status\": \"affected\", \"version\": \"2.21.42\"}, {\"status\": \"affected\", \"version\": \"2.21.43\"}, {\"status\": \"affected\", \"version\": \"2.21.44\"}, {\"status\": \"affected\", \"version\": \"2.21.45\"}, {\"status\": \"affected\", \"version\": \"2.21.46\"}, {\"status\": \"affected\", \"version\": \"2.21.47\"}, {\"status\": \"affected\", \"version\": \"2.21.48\"}, {\"status\": \"affected\", \"version\": \"2.21.49\"}, {\"status\": \"affected\", \"version\": \"2.21.50\"}, {\"status\": \"affected\", \"version\": \"2.21.51\"}, {\"status\": \"affected\", \"version\": \"2.21.52\"}, {\"status\": \"affected\", \"version\": \"2.21.53\"}, {\"status\": \"affected\", \"version\": \"2.21.54\"}, {\"status\": \"affected\", \"version\": \"2.21.55\"}, {\"status\": \"affected\", \"version\": \"2.21.56\"}, {\"status\": \"affected\", \"version\": \"2.21.57\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-09-28T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2024-09-28T02:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2024-11-04T20:16:24.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.278828\", \"name\": \"VDB-278828 | Intelbras InControl Relat\\u00f3rio de Operadores Page operador code injection\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.278828\", \"name\": \"VDB-278828 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.375614\", \"name\": \"Submit #375614 | Intelbras InControl 2.21.57 (last version) Command Injection\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://youtu.be/UdZVktPUy8A\", \"tags\": [\"media-coverage\"]}, {\"url\": \"https://backend.intelbras.com/sites/default/files/2024-10/Aviso%20de%20Seguran%C3%A7a%20-%20Incontrol%202.21.56%20e%202.21.57.pdf\", \"tags\": [\"related\"]}, {\"url\": \"https://download.cronos.intelbras.com.br/download/INCONTROL/INCONTROL-WEB/prod/INCONTROL-WEB-2.21.58-233dfd1ac1e2ca3eabb71c854005c78b.exe\", \"tags\": [\"patch\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relat\\u00f3rio de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20.\"}, {\"lang\": \"de\", \"value\": \"Eine kritische Schwachstelle wurde in Intelbras InControl bis 2.21.57 ausgemacht. Betroffen davon ist ein unbekannter Prozess der Datei /v1/operador/ der Komponente Relat\\u00f3rio de Operadores Page. Dank der Manipulation des Arguments fields mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \\u00fcber das Netzwerk erfolgen. Der Exploit steht zur \\u00f6ffentlichen Verf\\u00fcgung. Ein Aktualisieren auf die Version 2.21.58 vermag dieses Problem zu l\\u00f6sen. Als bestm\\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"Code Injection\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"Injection\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-707\", \"description\": \"Improper Neutralization\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2024-11-04T19:13:08.178Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-9324\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-04T19:13:08.178Z\", \"dateReserved\": \"2024-09-28T13:28:09.234Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2024-09-29T07:00:05.883Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…