CVE-2024-6424 - OpenCVE

External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST" to read the source code of web files, read internal files or access network resources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-07-01T12:54:20.749Z

Updated: 2024-08-01T21:41:03.308Z

Reserved: 2024-07-01T09:36:50.138Z

Link: CVE-2024-6424

Vulnrichment

Updated: 2024-08-01T21:41:03.308Z

NVD

Status : Awaiting Analysis

Published: 2024-07-01T13:15:06.690

Modified: 2024-07-01T16:37:39.040

Link: CVE-2024-6424

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6424", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-07-01T09:36:50.138Z", "datePublished": "2024-07-01T12:54:20.749Z", "dateUpdated": "2024-08-01T21:41:03.308Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MESbook", "vendor": "MESbook", "versions": [{"status": "affected", "version": "20221021.03"}]}], "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "datePublic": "2024-07-01T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint \"/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST\" or \"/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST\" to read the source code of web files, read internal files or access network resources."}], "value": "External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint \"/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST\" or \"/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST\" to read the source code of web files, read internal files or access network resources."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-01T12:56:59.275Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook"}], "source": {"discovery": "UNKNOWN"}, "title": "Server-Side Request Forgery vulnerability in MESbook", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-01T21:19:58.355797Z", "id": "CVE-2024-6424", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-01T21:20:07.272Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.308Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.308Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6424", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-01T21:19:58.355797Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-01T21:20:03.406Z"}}], "cna": {"title": "Server-Side Request Forgery vulnerability in MESbook", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MESbook", "product": "MESbook", "versions": [{"status": "affected", "version": "20221021.03"}], "defaultStatus": "unaffected"}], "datePublic": "2024-07-01T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint \"/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST\" or \"/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST\" to read the source code of web files, read internal files or access network resources.", "supportingMedia": [{"type": "text/html", "value": "External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint \"/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST\" or \"/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST\" to read the source code of web files, read internal files or access network resources.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-01T12:56:59.275Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6424", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:41:03.308Z", "dateReserved": "2024-07-01T09:36:50.138Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-07-01T12:54:20.749Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}