Lucene search

TwcertCVE-2024-40721

HistoryAug 02, 2024 - 11:16 a.m.

CVE-2024-40721

2024-08-0211:16:43

CWE-20

twcert

web.nvd.nist.gov

tcbservisign

windows version

changing information technology

server-side input validation

unauthenticated remote attackers

dll load

arbitrary path

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

38.5%

JSON

The specific API in TCBServiSign Windows Version from CHANGING Information Technology does not properly validate server-side input. When a user visits a spoofed website, unauthenticated remote attackers can cause the TCBServiSign to load a DLL from an arbitrary path.

Affected configurations

Nvd

Node

changingtectcb_servisignRange<1.0.24.0318windows

VendorProductVersionCPE
changingtectcb_servisign*cpe:2.3:a:changingtec:tcb_servisign:*:*:*:*:*:windows:*:*

Vendor	Product	Version	CPE
changingtec	tcb_servisign	*	cpe:2.3:a:changingtec:tcb_servisign::::::windows::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "TCBServiSign Windows Version",
    "vendor": "CHANGING Information Technology",
    "versions": [
      {
        "lessThan": "1.0.24.0318",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-7972-01a6e-2.html

www.twcert.org.tw/tw/cp-132-7966-8c6c3-1.html

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

38.5%

JSON

Related for CVE-2024-40721