Low Privileged Remote Attacker Can Execute Code as User-App User Due to Input Validation Flaw
CVE-2024-28135

5MEDIUM

Key Information:

Vendor: Phoenix Contact
Status: Charx Sec-3000; Charx Sec-3050; Charx Sec-3100; Charx Sec-3150
Vendor: CVE Published:; 14 May 2024

Summary

A low privileged remote attacker can use a command injection vulnerability in the API which performs remote code execution as the user-app user due to improper input validation. The confidentiality is partly affected.

Affected Version(s)

CHARX SEC-3000 0 <= 1.5.1

CHARX SEC-3050 0 <= 1.5.1

CHARX SEC-3100 0 <= 1.5.1

References

https://cert.vde.com/en/advisories/VDE-2024-019

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Mar 5, 2024

Credit

Trend Micro's Zero Day Initiative

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)