CVE-2024-6051 - OpenCVE

Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK in specific situations allows local code injection and to manipulate the view of a vulnerable application.This issue affects Redlink SDK versions through 1.13.

Attack Vector Local

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://cert.pl/en/posts/2024/09/CVE-2024-6051/
https://cert.pl/posts/2024/09/CVE-2024-6051/

History

Tue, 01 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Sep 2024 13:00:00 +0000

Type	Values Removed	Values Added
Description		Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK in specific situations allows local code injection and to manipulate the view of a vulnerable application.This issue affects Redlink SDK versions through 1.13.
Title		Cross Application Scripting in Redlink SDK
Weaknesses		CWE-99
References		https://cert.pl/en/posts/2024/09/CVE-2024-6051/ https://cert.pl/posts/2024/09/CVE-2024-6051/
Metrics		cvssV4_0 `{'score': 4.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Clear'}`

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2024-09-30T12:33:25.438Z

Updated: 2024-10-01T14:34:54.427Z

Reserved: 2024-06-17T09:27:09.006Z

Link: CVE-2024-6051

Vulnrichment

Updated: 2024-10-01T14:34:51.434Z

NVD

Status : Awaiting Analysis

Published: 2024-09-30T13:15:02.800

Modified: 2024-10-04T13:51:25.567

Link: CVE-2024-6051

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6051", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-06-17T09:27:09.006Z", "datePublished": "2024-09-30T12:33:25.438Z", "dateUpdated": "2024-10-01T14:34:54.427Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Redlink SDK", "repo": "https://github.com/vercomsa/redlink-push-android-sdk", "vendor": "Vercom S.A.", "versions": [{"lessThanOrEqual": "1.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Maksymilian Motyl (Immunity Systems)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK in specific situations allows local code injection and to manipulate the view of a vulnerable application.<p>This issue affects Redlink SDK versions through 1.13.</p>"}], "value": "Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK\u00a0in specific situations allows local code injection and to manipulate the view of a vulnerable application.This issue affects Redlink SDK versions through 1.13."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 4.3, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-99", "description": "CWE-99 Improper Control of Resource Identifiers ('Resource Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-09-30T12:33:25.438Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/09/CVE-2024-6051/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/09/CVE-2024-6051/"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross Application Scripting in Redlink SDK", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-01T14:34:26.074722Z", "id": "CVE-2024-6051", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T14:34:54.427Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6051", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-01T14:34:26.074722Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T14:34:51.434Z"}}], "cna": {"title": "Cross Application Scripting in Redlink SDK", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Maksymilian Motyl (Immunity Systems)"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 4.3, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Clear", "providerUrgency": "CLEAR", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/vercomsa/redlink-push-android-sdk", "vendor": "Vercom S.A.", "product": "Redlink SDK", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2024/09/CVE-2024-6051/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/09/CVE-2024-6051/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK\u00a0in specific situations allows local code injection and to manipulate the view of a vulnerable application.This issue affects Redlink SDK versions through 1.13.", "supportingMedia": [{"type": "text/html", "value": "Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK in specific situations allows local code injection and to manipulate the view of a vulnerable application.<p>This issue affects Redlink SDK versions through 1.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-99", "description": "CWE-99 Improper Control of Resource Identifiers ('Resource Injection')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-09-30T12:33:25.438Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6051", "state": "PUBLISHED", "dateUpdated": "2024-10-01T14:34:54.427Z", "dateReserved": "2024-06-17T09:27:09.006Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-09-30T12:33:25.438Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK\u00a0in specific situations allows local code injection and to manipulate the view of a vulnerable application.This issue affects Redlink SDK versions through 1.13."}, {"lang": "es", "value": "La vulnerabilidad de secuencias de comandos entre aplicaciones en el SDK de Vercom SA Redlink en situaciones espec\u00edficas permite la inyecci\u00f3n de c\u00f3digo local y la manipulaci\u00f3n de la vista de una aplicaci\u00f3n vulnerable. Este problema afecta a las versiones del SDK de Redlink hasta la 1.13."}], "id": "CVE-2024-6051", "lastModified": "2024-10-04T13:51:25.567", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "automatable": "NO", "availabilityRequirements": "NOT_DEFINED", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "CLEAR", "recovery": "USER", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:L/U:Clear", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "HIGH"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2024-09-30T13:15:02.800", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2024/09/CVE-2024-6051/"}, {"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2024/09/CVE-2024-6051/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-99"}], "source": "cvd@cert.pl", "type": "Secondary"}]}