Code Injection Vulnerability in jeanmarc77 123solar Software
CVE-2024-9006

8.8HIGH

Key Information:

Vendor
Jeanmarc77
Status
123solar
Vendor
CVE Published:
19 September 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A significant code injection vulnerability has been identified in the jeanmarc77 123solar version 1.8.4.5. This flaw affects the file 'config/config_invt1.php,' allowing an attacker to manipulate the 'PASSOx' argument. If successfully exploited, this vulnerability can lead to unauthorized code execution on the affected server, raising severe security concerns. The exploit is publicly known, meaning users and organizations utilizing this version of the software face an elevated risk of remote attacks. It is crucial for users to apply the provided patch identified by commit ID f4a8c748ec436e5a79f91ccb6a6f73752b336aa5 as soon as possible to mitigate this threat effectively.

Affected Version(s)

123solar 1.8.4.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9006 - Proof of Concept

References

https://vuldb.com/?id.278162
vdb-entrytechnical-description
https://vuldb.com/?ctiid.278162
signaturepermissions-required
https://vuldb.com/?submit.408298
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

hejiasheng (VulDB User)
.