CVE-2024-6427 - Vulnerability Details - OpenCVE

Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the "message" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0062.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MESbook

MESbook

unaffected

Version	Status	Constraints
`20221021.03`	affected	—

Configuration 1 [-]

cpe:2.3:a:mesbook:mesbook:20221021.03:*:*:*:*:*:*:*

No data.

No data.

Subscriptions

Vendors	Products
Mesbook Subscribe	Mesbook Subscribe

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-47530	Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the "message" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-07-03T11:53:15.828Z

Updated: 2024-08-01T21:41:03.230Z

Reserved: 2024-07-01T09:36:53.436Z

Link: CVE-2024-6427

Vulnrichment

Updated: 2024-08-01T21:41:03.230Z

NVD

Status : Modified

Published: 2024-07-03T12:15:03.430

Modified: 2024-11-21T09:49:38.180

Link: CVE-2024-6427

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6427", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-07-01T09:36:53.436Z", "datePublished": "2024-07-03T11:53:15.828Z", "dateUpdated": "2024-08-01T21:41:03.230Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MESbook", "vendor": "MESbook", "versions": [{"status": "affected", "version": "20221021.03"}]}], "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "datePublic": "2024-07-01T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the \"message\" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application."}], "value": "Uncontrolled Resource Consumption vulnerability in MESbook\u00a020221021.03 version. An unauthenticated remote attacker can use the \"message\" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-03T11:53:15.828Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook"}], "source": {"discovery": "UNKNOWN"}, "title": "Uncontrolled Resource Consumption vulnerability in MESbook", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "mesbook", "product": "mesbook", "cpes": ["cpe:2.3:a:mesbook:mesbook:20221021.03:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "20221021.03", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T13:47:32.064510Z", "id": "CVE-2024-6427", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T20:02:52.626Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.230Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.230Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6427", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T13:47:32.064510Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mesbook:mesbook:20221021.03:*:*:*:*:*:*:*"], "vendor": "mesbook", "product": "mesbook", "versions": [{"status": "affected", "version": "20221021.03"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T17:41:58.774Z"}}], "cna": {"title": "Uncontrolled Resource Consumption vulnerability in MESbook", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MESbook", "product": "MESbook", "versions": [{"status": "affected", "version": "20221021.03"}], "defaultStatus": "unaffected"}], "datePublic": "2024-07-01T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in MESbook\u00a020221021.03 version. An unauthenticated remote attacker can use the \"message\" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application.", "supportingMedia": [{"type": "text/html", "value": "Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the \"message\" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-03T11:53:15.828Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6427", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:41:03.230Z", "dateReserved": "2024-07-01T09:36:53.436Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-07-03T11:53:15.828Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mesbook:mesbook:20221021.03:*:*:*:*:*:*:*", "matchCriteriaId": "6A88D35E-03EA-4646-8B37-74AFE2F6A2AC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in MESbook\u00a020221021.03 version. An unauthenticated remote attacker can use the \"message\" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application."}, {"lang": "es", "value": "Vulnerabilidad de consumo de recursos incontrolado en la versi\u00f3n MESbook 20221021.03. Un atacante remoto no autenticado puede usar el par\u00e1metro \"mensaje\" para inyectar un payload con c\u00f3digo JavaScript peligroso, lo que hace que la aplicaci\u00f3n realice un bucle de solicitudes sobre s\u00ed misma, lo que podr\u00eda provocar el consumo de recursos y deshabilitar la aplicaci\u00f3n."}], "id": "CVE-2024-6427", "lastModified": "2024-11-21T09:49:38.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-03T12:15:03.430", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-mesbook"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}