CVE-2024-8526 - Vulnerability Details - OpenCVE

A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously
crafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection
of the user to a malicious webpage via "index.jsp"

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00144.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Fixes

Solution

This issue was fixed at version 8.0. It is recommended that customers upgrade their software to the latest supported version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/
https://www.corporate.carrier.com/product-security/advisories-resources/

History

Thu, 21 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 21 Nov 2024 15:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously crafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection of the user to a malicious webpage via "index.jsp"
Title		Automated Logic WebCTRL and Carrier i-Vu Open Redirect
Weaknesses		CWE-601
References		https://www.cisa.gov/news-events/ics-advisories/ https://www.corporate.carrier.com/product-security/advisories-resources/
Metrics		cvssV4_0 `{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Carrier

Published: 2024-11-21T15:29:55.681Z

Updated: 2024-11-21T17:38:33.315Z

Reserved: 2024-09-06T16:01:31.447Z

Link: CVE-2024-8526

Vulnrichment

Updated: 2024-11-21T17:38:28.819Z

NVD

Status : Received

Published: 2024-11-21T16:15:27.437

Modified: 2024-11-21T16:15:27.437

Link: CVE-2024-8526

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8526", "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "state": "PUBLISHED", "assignerShortName": "Carrier", "dateReserved": "2024-09-06T16:01:31.447Z", "datePublished": "2024-11-21T15:29:55.681Z", "dateUpdated": "2024-11-21T17:38:33.315Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WebCTRL", "vendor": "Automated Logic, a Carrier company", "versions": [{"status": "affected", "version": "7.0"}]}, {"defaultStatus": "unaffected", "product": "i-Vu", "vendor": "Carrier", "versions": [{"status": "affected", "version": "7.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously\ncrafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection\nof the user to a malicious webpage via \"index.jsp\""}], "value": "A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously\ncrafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection\nof the user to a malicious webpage via \"index.jsp\""}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 5.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "shortName": "Carrier", "dateUpdated": "2024-11-21T15:29:55.681Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"}, {"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue was fixed at version 8.0. It is recommended that customers upgrade their software to the latest supported version."}], "value": "This issue was fixed at version 8.0. It is recommended that customers upgrade their software to the latest supported version."}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned"], "title": "Automated Logic WebCTRL and Carrier i-Vu Open Redirect", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-21T17:38:21.418183Z", "id": "CVE-2024-8526", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T17:38:33.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-21T17:38:21.418183Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T17:38:28.819Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Automated Logic WebCTRL and Carrier i-Vu Open Redirect", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Automated Logic, a Carrier company", "product": "WebCTRL", "versions": [{"status": "affected", "version": "7.0"}], "defaultStatus": "unaffected"}, {"vendor": "Carrier", "product": "i-Vu", "versions": [{"status": "affected", "version": "7.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This issue was fixed at version 8.0. It is recommended that customers upgrade their software to the latest supported version.", "supportingMedia": [{"type": "text/html", "value": "This issue was fixed at version 8.0. It is recommended that customers upgrade their software to the latest supported version.", "base64": false}]}], "references": [{"url": "https://www.corporate.carrier.com/product-security/advisories-resources/", "tags": ["vendor-advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously\ncrafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection\nof the user to a malicious webpage via \"index.jsp\"", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously\ncrafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection\nof the user to a malicious webpage via \"index.jsp\"", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "shortName": "Carrier", "dateUpdated": "2024-11-21T15:29:55.681Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8526", "state": "PUBLISHED", "dateUpdated": "2024-11-21T17:38:33.315Z", "dateReserved": "2024-09-06T16:01:31.447Z", "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "datePublished": "2024-11-21T15:29:55.681Z", "assignerShortName": "Carrier"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "productsecurity@carrier.com", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously\ncrafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection\nof the user to a malicious webpage via \"index.jsp\""}], "id": "CVE-2024-8526", "lastModified": "2024-11-21T16:15:27.437", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "NONE"}, "source": "productsecurity@carrier.com", "type": "Secondary"}]}, "published": "2024-11-21T16:15:27.437", "references": [{"source": "productsecurity@carrier.com", "url": "https://www.cisa.gov/news-events/ics-advisories/"}, {"source": "productsecurity@carrier.com", "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"}], "sourceIdentifier": "productsecurity@carrier.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "productsecurity@carrier.com", "type": "Secondary"}]}