ExploitCVE-2024-9006
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary
A critical vulnerability has been discovered in jeanmarc77 123solar version 1.8.4.5. The issue affects an unknown functionality in the file config/config_invt1.php. This vulnerability allows for code injection through the manipulation of the PASSOx argument. The attack can be launched remotely and requires low attack complexity with low privileges. No user interaction is needed for exploitation.
Impact
This vulnerability has been rated as critical with a CVSS v3.1 base score of 8.8, indicating high severity. The impact is significant across all three main security objectives: 1. Confidentiality: High impact, potentially allowing unauthorized access to sensitive information. 2. Integrity: High impact, possibly enabling attackers to modify or tamper with system data. 3. Availability: High impact, which could result in system disruptions or denial of service. The vulnerability can be exploited remotely over the network, making it particularly dangerous. Given that the exploit has been publicly disclosed, there is an increased risk of active exploitation in the wild.
Exploitation
Multiple proof-of-concept exploits are available on github.com, github.com. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available and has been identified with the commit hash f4a8c748ec436e5a79f91ccb6a6f73752b336aa5. It is strongly recommended to apply this patch immediately to address the vulnerability.
Mitigation
1. Apply the available patch (commit f4a8c748ec436e5a79f91ccb6a6f73752b336aa5) immediately to all instances of 123solar version 1.8.4.5. 2. If immediate patching is not possible, consider temporarily disabling or restricting access to the affected component (config/config_invt1.php) until the patch can be applied. 3. Implement network segmentation and access controls to limit potential attack vectors. 4. Monitor systems for any suspicious activities, particularly those involving the PASSOx argument in requests to the affected file. 5. Regularly review and update security measures, including timely application of security patches for all software components.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
Feedly found the first article mentioning CVE-2024-9006. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-9006
A CVSS base score of 6.3 has been assigned.
EPSS Score was set to: 0.04% (Percentile: 10.9%)
A CVSS base score of 8.8 has been assigned.
A CVSS base score of 8.8 has been assigned.