Lucene search

K
zdiNatnael Samson (@NattiSamson)ZDI-24-490
HistoryMay 22, 2024 - 12:00 a.m.

LAquis SCADA LGX Report Processing AddComboFile Path Traversal Remote Code Execution Vulnerability

2024-05-2200:00:00
Natnael Samson (@NattiSamson)
www.zerodayinitiative.com
3
vulnerability
laquis scada
remote code execution
addcombofile method
file operations
user interaction

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.6%

This vulnerability allows remote attackers to execute arbitrary code on affected installations of LAquis SCADA. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the AddComboFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the logged-in user.

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.6%