Lucene search

[email protected]CVE-2024-4894

HistoryMay 15, 2024 - 3:15 a.m.

CVE-2024-4894

2024-05-1503:15:14

CWE-918

[email protected]

web.nvd.nist.gov

itpison omicard

edm

url parameter

ssrf attack

remote attackers

internal network

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

JSON

ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "OMICARD EDM",
    "vendor": "ITPison",
    "versions": [
      {
        "lessThan": "6.0",
        "status": "affected",
        "version": "earlier",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-7803-c0f73-2.html

www.twcert.org.tw/tw/cp-132-7802-18f3c-1.html

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for CVE-2024-4894

vulnrichment1 nvd1 cvelist1