Cyber Posture

CVE-2024-24292

CriticalPublic PoC

Published: 28 March 2025

Published
28 March 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0116 78.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2024-24292 is a Prototype Pollution vulnerability, classified under CWE-1321, affecting Aliconnect /sdk version 0.0.6. The flaw exists in the aim function within the aim.js component, enabling an attacker to execute arbitrary code by polluting the JavaScript prototype chain.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity, no required privileges, and no user interaction. An unauthenticated attacker can achieve high impacts on confidentiality, integrity, and availability through arbitrary code execution on affected systems.

Mitigation details and further analysis are provided in the referenced advisory at https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9.

Details

CWE(s)
CWE-1321

Affected Products

aliconnect
software development kit
0.0.6

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Remote unauthenticated RCE via prototype pollution in JS SDK directly maps to exploiting public-facing apps (T1190) and JS-based command/script execution (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References