CVE-2024-27708
Published: 22 December 2025
Description
Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2024-27708 by requiring identification, reporting, and correction of the specific iframe injection flaw in MyNET v.26.06 and earlier.
Enforces validation of the src parameter input to block malicious iframe injections leading to arbitrary code execution.
Filters output of the src parameter in iframe elements to prevent injection of arbitrary code by remote attackers.
Security SummaryAI
CVE-2024-27708 is an iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET versions 26.06 and earlier. The flaw allows a remote attacker to execute arbitrary code by manipulating the src parameter, as associated with CWEs-74 and CWE-75. Published on 2025-12-22, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
A remote attacker requires no privileges and can exploit the vulnerability over the network with low attack complexity, though user interaction is necessary. Successful exploitation changes the scope and enables high-impact effects on confidentiality, integrity, and availability, culminating in arbitrary code execution on the targeted system.
Mitigation details are available in related advisories, including https://github.com/esquim0/Common_Vulnerabilities_and_Exposures_CVE/blob/main/2024/MyNet.md and the vendor site at https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Iframe injection vulnerability in public-facing web application allows remote unauthenticated attacker with user interaction to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications.