Lucene search

TwcertCVELIST:CVE-2024-8585

HistorySep 09, 2024 - 3:03 a.m.

CVE-2024-8585 LEARNING DIGITAL Orca HCM - Arbitrary File Download

2024-09-0903:03:59

CWE-22

twcert

www.cve.org

orca hcm

arbitrary file download

remote attacker

regular privileges

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

19.7%

JSON

Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Orca HCM",
    "vendor": "LEARNING DIGITAL",
    "versions": [
      {
        "lessThan": "11.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/en/cp-139-8042-f9f26-2.html

www.twcert.org.tw/tw/cp-132-8041-dfbf9-1.html

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

19.7%

JSON

Related for CVELIST:CVE-2024-8585