Lucene search

MoxaVULNRICHMENT:CVE-2024-4638

HistoryJun 25, 2024 - 8:49 a.m.

CVE-2024-4638 OnCell G3470A-LTE Series: Authenticated Command Injection via webUploadKey

2024-06-2508:49:24

CWE-77

Moxa

github.com

oncell g3470a-lte

firmware v1.7.7

authenticated command injection

web key upload

vulnerability

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

19.6%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in the web key upload function. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:h:moxa:oncell_g3470a-lte-us:-:*:*:*:*:*:*:*"
    ],
    "vendor": "moxa",
    "product": "oncell_g3470a-lte-us",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "1.7.7"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

19.6%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-4638