Lucene search

[email protected]CVE-2024-3123

HistoryJul 01, 2024 - 5:15 a.m.

CVE-2024-3123

2024-07-0105:15:04

CWE-434

[email protected]

web.nvd.nist.gov

mobile one time password

file upload

vulnerability

remote attackers

administrator privilege

system commands

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

19.5%

JSON

CHANGING Mobile One Time Password’s uploading function in a hidden page does not filter file type properly. Remote attackers with administrator privilege can exploit this vulnerability to upload and run malicious file to execute system commands.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mobile One Time Password",
    "vendor": "CHANGING",
    "versions": [
      {
        "lessThanOrEqual": "3.11.3",
        "status": "affected",
        "version": "3.11",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-7914-33fbb-2.html

www.twcert.org.tw/tw/cp-132-7913-6528e-1.html

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

19.5%

JSON

Related for CVE-2024-3123

nvd1 cvelist1 vulnrichment1