Improper Authentication in knightliao Disconf Configuration Center
CVE-2024-10620

5.3MEDIUM

Key Information:

Vendor: Knightliao
Status: Disconf
Vendor: CVE Published:; 1 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-10620?

A critical vulnerability has been identified in knightliao's Disconf version 2.6.36, specifically affecting the Configuration Center component. This vulnerability allows for improper authentication through the /api/config/list endpoint, enabling malicious actors to initiate attacks remotely. Since the exploit is publicly disclosed, it raises significant concerns regarding the security of deployed instances. Users of the affected software are urged to review their systems and apply necessary mitigations to address the potential risk.

Affected Version(s)

Disconf 2.6.36

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10620 - Proof of Concept

References

https://vuldb.com/?id.282633

vdb-entry

https://vuldb.com/?ctiid.282633

signaturepermissions-required

https://vuldb.com/?submit.429927

third-party-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 1, 2024
👾
Exploit known to exist
Nov 1, 2024
Vulnerability published
Nov 1, 2024
Vulnerability Reserved
Oct 31, 2024

Credit

gaogaostone (VulDB User)

Knightliao

Badges

What is CVE-2024-10620?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline

Credit