Lucene search

TwcertVULNRICHMENT:CVE-2024-3123

HistoryJul 01, 2024 - 2:52 a.m.

CVE-2024-3123 CHANGING Mobile One Time Password - Arbitrary File Upload

2024-07-0102:52:34

CWE-434

twcert

github.com

cve-2024-3123

mobile one time password

arbitrary file upload

remote attackers

administrator privilege

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

JSON

CHANGING Mobile One Time Password’s uploading function in a hidden page does not filter file type properly. Remote attackers with administrator privilege can exploit this vulnerability to upload and run malicious file to execute system commands.

CNA Affected

[
  {
    "vendor": "CHANGING",
    "product": "Mobile One Time Password",
    "versions": [
      {
        "status": "affected",
        "version": "3.11",
        "versionType": "custom",
        "lessThanOrEqual": "3.11.3"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.twcert.org.tw/en/cp-139-7914-33fbb-2.html

www.twcert.org.tw/tw/cp-132-7913-6528e-1.html

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

JSON

Related for VULNRICHMENT:CVE-2024-3123