CVE-2024-50492
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart allows Code Injection. This issue affects ScottCart versions up to and including 1.1.
Impact
This vulnerability has a critical impact on the affected systems. With a CVSS v3.1 base score of 9.8, it poses a severe risk. The vulnerability allows for code injection, which can lead to unauthorized code execution on the target system. The impact is high across all three main security aspects: 1. Confidentiality: High impact, potentially allowing attackers to access sensitive information. 2. Integrity: High impact, enabling attackers to modify or inject malicious code, compromising the system's trustworthiness. 3. Availability: High impact, potentially allowing attackers to disrupt normal operations or cause system downtime. The attack vector is network-based, requires no user interaction, and can be executed with low attack complexity, making it relatively easy for attackers to exploit.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
As of the latest information provided, there is no mention of a specific patch being available. The vulnerability affects ScottCart versions up to and including 1.1, suggesting that users should look for updates beyond this version or await an official patch from Scott Paterson.
Mitigation
Given the severity of this vulnerability, immediate action is recommended: 1. Update ScottCart: If a version newer than 1.1 is available, update immediately after thorough testing. 2. Implement Web Application Firewall (WAF): Configure rules to detect and block code injection attempts. 3. Input Validation: Enforce strict input validation on all user-supplied data to prevent code injection. 4. Least Privilege: Ensure the application runs with minimal necessary permissions to limit the impact of successful exploits. 5. Network Segmentation: Isolate systems running ScottCart to minimize the potential spread of an attack. 6. Monitoring: Implement robust logging and monitoring to detect potential exploitation attempts. 7. Temporary Measures: If immediate patching is not possible, consider temporarily disabling the affected component or restricting access to trusted IP addresses only. Prioritize this vulnerability for immediate attention due to its high severity score and the potential for significant impact on affected systems.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2024-50492. See article
NVD published the first details for CVE-2024-50492
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.04% (Percentile: 9.9%)
A CVSS base score of 9.8 has been assigned.