Search criteria
2 vulnerabilities found for AggreGate Network Manager by Tibbo
CVE-2024-12700 (GCVE-0-2024-12700)
Vulnerability from cvelistv5 – Published: 2024-12-19 22:50 – Updated: 2024-12-20 17:38
VLAI?
Title
Tibbo AggreGate Network Manager Unrestricted Upload of File with Dangerous Type
Summary
There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tibbo | AggreGate Network Manager |
Affected:
0 , ≤ 6.34.02
(custom)
|
Credits
Vu Khanh Trinh (@Sonicrr) of VNPT Cyber Immunity working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T16:59:27.923802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T17:38:17.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AggreGate Network Manager",
"vendor": "Tibbo",
"versions": [
{
"lessThanOrEqual": "6.34.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vu Khanh Trinh (@Sonicrr) of VNPT Cyber Immunity working with Trend Micro Zero Day Initiative reported this vulnerability to CISA."
}
],
"datePublic": "2024-12-19T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThere is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.\u003c/span\u003e"
}
],
"value": "There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T22:50:58.512Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05"
},
{
"url": "https://aggregate.digital/downloads.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTibbo recommends users update to Versions 6.40.02, 6.34.03, or \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://aggregate.digital/downloads.html\"\u003elatest version.\u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://aggregate.digital/downloads.html\"\u003e\u003c/a\u003e\n\n\u003cbr\u003e"
}
],
"value": "Tibbo recommends users update to Versions 6.40.02, 6.34.03, or latest version. https://aggregate.digital/downloads.html https://aggregate.digital/downloads.html"
}
],
"source": {
"advisory": "ICSA-24-354-05",
"discovery": "EXTERNAL"
},
"title": "Tibbo AggreGate Network Manager Unrestricted Upload of File with Dangerous Type",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-12700",
"datePublished": "2024-12-19T22:50:58.512Z",
"dateReserved": "2024-12-16T23:40:02.489Z",
"dateUpdated": "2024-12-20T17:38:17.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12700 (GCVE-0-2024-12700)
Vulnerability from nvd – Published: 2024-12-19 22:50 – Updated: 2024-12-20 17:38
VLAI?
Title
Tibbo AggreGate Network Manager Unrestricted Upload of File with Dangerous Type
Summary
There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tibbo | AggreGate Network Manager |
Affected:
0 , ≤ 6.34.02
(custom)
|
Credits
Vu Khanh Trinh (@Sonicrr) of VNPT Cyber Immunity working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T16:59:27.923802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T17:38:17.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AggreGate Network Manager",
"vendor": "Tibbo",
"versions": [
{
"lessThanOrEqual": "6.34.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vu Khanh Trinh (@Sonicrr) of VNPT Cyber Immunity working with Trend Micro Zero Day Initiative reported this vulnerability to CISA."
}
],
"datePublic": "2024-12-19T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThere is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.\u003c/span\u003e"
}
],
"value": "There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T22:50:58.512Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05"
},
{
"url": "https://aggregate.digital/downloads.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTibbo recommends users update to Versions 6.40.02, 6.34.03, or \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://aggregate.digital/downloads.html\"\u003elatest version.\u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://aggregate.digital/downloads.html\"\u003e\u003c/a\u003e\n\n\u003cbr\u003e"
}
],
"value": "Tibbo recommends users update to Versions 6.40.02, 6.34.03, or latest version. https://aggregate.digital/downloads.html https://aggregate.digital/downloads.html"
}
],
"source": {
"advisory": "ICSA-24-354-05",
"discovery": "EXTERNAL"
},
"title": "Tibbo AggreGate Network Manager Unrestricted Upload of File with Dangerous Type",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-12700",
"datePublished": "2024-12-19T22:50:58.512Z",
"dateReserved": "2024-12-16T23:40:02.489Z",
"dateUpdated": "2024-12-20T17:38:17.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}