Lucene search

[email protected]CVE-2024-1705

HistoryFeb 21, 2024 - 6:15 p.m.

CVE-2024-1705

2024-02-2118:15:50

CWE-94

[email protected]

web.nvd.nist.gov

shopwind

vulnerability

remote code injection

actioncreate

defaultcontroller.php

cve-2024-1705

nvd

critical

vdb-254393

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

5.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

A vulnerability was found in Shopwind up to 4.6. It has been rated as critical. This issue affects the function actionCreate of the file /public/install/controllers/DefaultController.php of the component Installation. The manipulation leads to code injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-254393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected configurations

Vulners

Node

shopwindshopwindMatch4.0

shopwindshopwindMatch4.1

shopwindshopwindMatch4.2

shopwindshopwindMatch4.3

shopwindshopwindMatch4.4

shopwindshopwindMatch4.5

shopwindshopwindMatch4.6

VendorProductVersionCPE
shopwindshopwind4.0cpe:2.3:a:shopwind:shopwind:4.0:*:*:*:*:*:*:*
shopwindshopwind4.1cpe:2.3:a:shopwind:shopwind:4.1:*:*:*:*:*:*:*
shopwindshopwind4.2cpe:2.3:a:shopwind:shopwind:4.2:*:*:*:*:*:*:*
shopwindshopwind4.3cpe:2.3:a:shopwind:shopwind:4.3:*:*:*:*:*:*:*
shopwindshopwind4.4cpe:2.3:a:shopwind:shopwind:4.4:*:*:*:*:*:*:*
shopwindshopwind4.5cpe:2.3:a:shopwind:shopwind:4.5:*:*:*:*:*:*:*
shopwindshopwind4.6cpe:2.3:a:shopwind:shopwind:4.6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
shopwind	shopwind	4.0	cpe:2.3:a:shopwind:shopwind:4.0:::::::*
shopwind	shopwind	4.1	cpe:2.3:a:shopwind:shopwind:4.1:::::::*
shopwind	shopwind	4.2	cpe:2.3:a:shopwind:shopwind:4.2:::::::*
shopwind	shopwind	4.3	cpe:2.3:a:shopwind:shopwind:4.3:::::::*
shopwind	shopwind	4.4	cpe:2.3:a:shopwind:shopwind:4.4:::::::*
shopwind	shopwind	4.5	cpe:2.3:a:shopwind:shopwind:4.5:::::::*
shopwind	shopwind	4.6	cpe:2.3:a:shopwind:shopwind:4.6:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Shopwind",
    "versions": [
      {
        "version": "4.0",
        "status": "affected"
      },
      {
        "version": "4.1",
        "status": "affected"
      },
      {
        "version": "4.2",
        "status": "affected"
      },
      {
        "version": "4.3",
        "status": "affected"
      },
      {
        "version": "4.4",
        "status": "affected"
      },
      {
        "version": "4.5",
        "status": "affected"
      },
      {
        "version": "4.6",
        "status": "affected"
      }
    ],
    "modules": [
      "Installation"
    ]
  }
]

References

note.zhaoj.in/share/QHdXavkw5eDm

vuldb.com/?ctiid.254393

vuldb.com/?id.254393

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

5.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for CVE-2024-1705

prion1 nvd1 cvelist1