Lucene search

TwcertCVELIST:CVE-2024-4894

HistoryMay 15, 2024 - 2:53 a.m.

CVE-2024-4894 ITPison OMICARD EDM - Server-Side Request Forgery

2024-05-1502:53:45

CWE-918

twcert

www.cve.org

cve-2024-4894

itpison omicard edm

server-side request forgery

ssrf

remote attackers

url parameter

internal network

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "OMICARD EDM",
    "vendor": "ITPison",
    "versions": [
      {
        "lessThan": "6.0",
        "status": "affected",
        "version": "earlier",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-7803-c0f73-2.html

www.twcert.org.tw/tw/cp-132-7802-18f3c-1.html

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for CVELIST:CVE-2024-4894