Lucene search

K
zdiNatnael Samson (@NattiSamson)ZDI-24-488
HistoryMay 22, 2024 - 12:00 a.m.

LAquis SCADA LGX Report TextFile Open Path Traversal Remote Code Execution Vulnerability

2024-05-2200:00:00
Natnael Samson (@NattiSamson)
www.zerodayinitiative.com
3
remote code execution
path traversal
user interaction
file operations
user validation

0.001 Low

EPSS

Percentile

48.6%

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LAquis SCADA. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the TextFile.Open method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user.

0.001 Low

EPSS

Percentile

48.6%