Unpatched XPath Injection Vulnerability in Netentsec NS-ASG Application Security Gateway Could Lead to Remote Code Execution
CVE-2024-2648

5.3MEDIUM

Key Information:

Vendor

Netentsec

Status
Ns-asg Application Security Gateway
Vendor
CVE Published:
19 March 2024

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2024-2648?

An XPath injection vulnerability exists within the Netentsec NS-ASG Application Security Gateway 6.3, specifically affecting the function located in the file /nac/naccheck.php. This weakness arises from improper neutralization of user input in the 'username' argument. Attackers can exploit this vulnerability remotely, potentially leading to unauthorized data manipulation or disclosure. Despite timely notification to the vendor regarding this security issue, no response has been reported, leaving systems vulnerable to this publicly disclosed exploit.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

NS-ASG Application Security Gateway 6.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-2648 - Proof of Concept

References

https://vuldb.com/?id.257286
vdb-entrytechnical-description
https://vuldb.com/?ctiid.257286
signaturepermissions-required
https://github.com/flyyue2001/cve/blob/main/NS-ASG-sql-na...
exploit

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

18070802606 (VulDB User)
JSON
.