Lucene search

DirectcyberVULNRICHMENT:CVE-2024-29837

HistoryApr 14, 2024 - 11:47 p.m.

CVE-2024-29837 Poor session management in Evolution Controller allows administrator functionality for unauthenticated connections

2024-04-1423:47:48

CWE-1390

CWE-284

directcyber

github.com

evolution controller

cve-2024-29837

poor session management

unauthenticated connections

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Evolution Controller",
    "vendor": "CS Technologies Australia",
    "versions": [
      {
        "status": "affected",
        "version": "2.x"
      }
    ]
  }
]

References

directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VULNRICHMENT:CVE-2024-29837