CVE-2024-13129
Published: 03 January 2025
Description
A vulnerability was found in Roxy-WI up to 8.1.3. It has been declared as critical. Affected by this vulnerability is the function action_service of the file app/modules/roxywi/roxy.py. The manipulation of the argument action/service leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.1.4 is able to address this issue. The identifier of the patch is 32313928eb9ce906887b8a30bf7b9a3d5c0de1be. It is recommended to upgrade the affected component.
Security Summary
CVE-2024-13129 is a critical OS command injection vulnerability (CWE-77, CWE-78) affecting Roxy-WI versions up to 8.1.3. The flaw exists in the action_service function of the file app/modules/roxywi/roxy.py, where manipulation of the action/service argument enables injection of arbitrary operating system commands.
The vulnerability is remotely exploitable over the network with low complexity and no user interaction required, but it necessitates low privileges (PR:L) per its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An authenticated attacker with minimal access can achieve remote code execution, resulting in high-impact compromises to confidentiality, integrity, and availability on the targeted system.
Mitigation is available through an upgrade to Roxy-WI version 8.1.4, which includes the fixing commit 32313928eb9ce906887b8a30bf7b9a3d5c0de1be as part of pull request #410. Relevant advisories and resources are hosted on the project's GitHub repository, including the release tag for v8.1.4.
A proof-of-concept exploit has been publicly disclosed on GitHub, heightening the potential for widespread abuse.
Details
- CWE(s)