CVE-2024-7679

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Sep 25, 2024 / Updated: 55d ago

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.

Impact

This vulnerability allows for a command injection attack, which can lead to high impacts on confidentiality, integrity, and availability of the affected system. An attacker could potentially execute arbitrary commands on the target system, leading to unauthorized access, data manipulation, or system disruption. The attack requires local access and user interaction, but no privileges are needed to exploit it.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Telerik UI for WinForms version 2024 Q3 (2024.3.924) and later.

Mitigation

1. Update Telerik UI for WinForms to version 2024.3.924 or later. 2. If immediate update is not possible, implement strict input validation and sanitization for hyperlink elements. 3. Apply the principle of least privilege to limit the potential impact of successful exploits. 4. Monitor systems for suspicious activities related to command injection attempts. 5. Educate users about the risks of interacting with untrusted hyperlinks or content within the application.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-7679

Sep 25, 2024 at 2:15 PM
CVSS

A CVSS base score of 7.8 has been assigned.

Sep 25, 2024 at 2:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-7679. See article

Sep 25, 2024 at 2:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 25, 2024 at 2:22 PM
Threat Intelligence Report

CVE-2024-7679 is one of four recently reported vulnerabilities in the Progress Telerik UI that could lead to command injection and code execution. The criticality and CVSS score of this vulnerability are not specified in the provided information, nor is there any mention of exploitation in the wild, proof-of-concept exploits, mitigations, detections, or patches available. Additionally, there is no information regarding downstream impacts to other third-party vendors or technology. See article

Oct 8, 2024 at 11:16 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208755)

Oct 11, 2024 at 11:15 PM
Static CVE Timeline Graph

Affected Systems

Telerik/ui_for_wpf
+null more

Patches

docs.telerik.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

Command Injection Vulnerability
In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements. In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.

News

Progress Telerik UI for WinForms < 2024.3.924 Command Injection
The version of Progress Telerik UI for WinForms installed on the remote host is prior to 2024.3.924. - In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
Cyble Honeypot Sensors Detect D-Link, Cisco, QNAP and Linux Attacks
Cyble’s Vulnerability Intelligence unit last week detected numerous exploit attempts, malware intrusions, phishing campaigns, and brute-force attacks via its network of Honeypot sensors. 25-Oct. 1, Cyble researchers identified several recent active exploits, including new attacks against a number of network products and routers, more than 300 new spam email addresses, and thousands of brute-force attacks.
Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
Multiple Vulnerabilities in Progress Telerik Products (Telerik UI)
Development Last Updated: 10/2/2024 CVEs: CVE-2024-7576 , CVE-2024-7575 , CVE-2024-8316 , CVE-2024-7679
CVE Alert: CVE-2024-7679 - https://www.redpacketsecurity.com/cve_alert_cve-2024-7679/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_7679
CVE Alert: CVE-2024-7679 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_7679
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI