Arbitrary Code Execution Vulnerability Affects Controller Products

CVE-2024-23317

6.3MEDIUM

Key Information

Vendor: Gallagher
Status: Controller 6000 And Controller 7000
Vendor: CVE Published:; 11 July 2024

Summary

External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.

Affected Version(s)

Controller 6000 and Controller 7000 <= 0

Controller 6000 and Controller 7000 < 8.60

Controller 6000 and Controller 7000 <= 9.10

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 11, 2024
Vulnerability Reserved.
Feb 5, 2024

Collectors

NVD DatabaseMitre Database