Vulnerabilites related to Carrier - i-Vu
CVE-2024-8526 (GCVE-0-2024-8526)
Vulnerability from cvelistv5
Published
2024-11-21 15:29
Modified
2024-11-21 17:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously
crafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection
of the user to a malicious webpage via "index.jsp"
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.corporate.carrier.com/product-security/advisories-resources/ | vendor-advisory | |
| https://www.cisa.gov/news-events/ics-advisories/ | government-resource |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Automated Logic, a Carrier company | WebCTRL |
Version: 7.0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T17:38:21.418183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T17:38:33.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WebCTRL",
"vendor": "Automated Logic, a Carrier company",
"versions": [
{
"status": "affected",
"version": "7.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "i-Vu",
"vendor": "Carrier",
"versions": [
{
"status": "affected",
"version": "7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously\ncrafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection\nof the user to a malicious webpage via \"index.jsp\""
}
],
"value": "A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously\ncrafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection\nof the user to a malicious webpage via \"index.jsp\""
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:29:55.681Z",
"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"shortName": "Carrier"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue was fixed at version 8.0. It is recommended that customers upgrade their software to the latest supported version."
}
],
"value": "This issue was fixed at version 8.0. It is recommended that customers upgrade their software to the latest supported version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Automated Logic WebCTRL and Carrier i-Vu Open Redirect",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"assignerShortName": "Carrier",
"cveId": "CVE-2024-8526",
"datePublished": "2024-11-21T15:29:55.681Z",
"dateReserved": "2024-09-06T16:01:31.447Z",
"dateUpdated": "2024-11-21T17:38:33.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8525 (GCVE-0-2024-8525)
Vulnerability from cvelistv5
Published
2024-11-21 15:32
Modified
2024-11-21 17:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.corporate.carrier.com/product-security/advisories-resources/ | vendor-advisory | |
| https://www.cisa.gov/news-events/ics-advisories/ | government-resource |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Automated Logic, a Carrier company | WebCTRL |
Version: 7.0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:automatedlogic:webctrl:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webctrl",
"vendor": "automatedlogic",
"versions": [
{
"status": "affected",
"version": "7.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T17:34:08.034594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T17:37:57.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "WebCTRL",
"vendor": "Automated Logic, a Carrier company",
"versions": [
{
"status": "affected",
"version": "7.0"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "i-Vu",
"vendor": "Carrier",
"versions": [
{
"status": "affected",
"version": "7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file.\u0026nbsp;"
}
],
"value": "An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:32:55.593Z",
"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"shortName": "Carrier"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A software update is available on the authorized dealer support site. Although a software \nupdate is available for this issue, the last support date for v7.0 was 1/27/2023 and it is \nrecommended that customers upgrade their software to the latest supported version\n\n\u003cbr\u003e"
}
],
"value": "A software update is available on the authorized dealer support site. Although a software \nupdate is available for this issue, the last support date for v7.0 was 1/27/2023 and it is \nrecommended that customers upgrade their software to the latest supported version"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Automated Logic WebCTRL and Carrier i-Vu Unrestricted File Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"assignerShortName": "Carrier",
"cveId": "CVE-2024-8525",
"datePublished": "2024-11-21T15:32:55.593Z",
"dateReserved": "2024-09-06T16:01:29.505Z",
"dateUpdated": "2024-11-21T17:37:57.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}