IDExpert Vulnerability Allows Remote Execution of OS Commands
CVE-2024-10653

7.2HIGH

Key Information:

Vendor: Changing Information Technology
Status: Idexpert
Vendor: CVE Published:; 1 November 2024

Summary

A command injection vulnerability exists in IDExpert, a product from CHANGING Information Technology, due to inadequate validation of a specific parameter in the administrator interface. This oversight can be exploited by remote attackers who possess administrative privileges, enabling them to inject and execute operating system commands on the server. Such exploitation can have severe implications for system security, potentially leading to unauthorized data access and manipulation.

Affected Version(s)

IDExpert 2.5 <= 2.8

References

https://www.twcert.org.tw/tw/cp-132-8174-a17fd-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-8175-57245-2.html

third-party-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 1, 2024
Vulnerability Reserved
Nov 1, 2024