Lucene search

[email protected]NVD:CVE-2024-1863

HistoryApr 01, 2024 - 10:15 p.m.

CVE-2024-1863

2024-04-0122:15:12

CWE-89

[email protected]

web.nvd.nist.gov

cve-2024-1863

remote code execution

sql injection

sante pacs server

vulnerability

http requests

port 3000

user-supplied string

sql queries

zdi-can-21539

network service

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.0%

JSON

Sante PACS Server Token Endpoint SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of HTTP requests on port 3000. When parsing the token parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-21539.

References

www.zerodayinitiative.com/advisories/ZDI-24-193/

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.0%

JSON

Related for NVD:CVE-2024-1863

cvelist1 cve1 zdi1