CVE-2024-38291

High

Published: 27 February 2025

Published

27 February 2025

Modified

11 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to privilege escalation.

Security Summary

CVE-2024-38291 is a vulnerability in XIQ-SE versions prior to 24.2.11 that allows a low-privileged user to access admin passwords, potentially enabling privilege escalation. The issue stems from improper access control (CWE-284) and insufficiently protected credentials (CWE-522), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A low-privileged user with network access can exploit the vulnerability with low attack complexity and without requiring user interaction. Exploitation provides high-impact access to admin passwords, allowing the attacker to escalate privileges and potentially compromise confidentiality, integrity, and availability of the system.

Extreme Networks security advisory SA-2024-105 details the unauthorized access to user credentials in XIQ-SE and provides guidance on the issue, available at https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-105-xiq-se-unauthorized-access-to-user-credentials-cve/ba-p/116363. Mitigation requires updating to XIQ-SE version 24.2.11 or later.

Details

CWE(s): CWE-284CWE-522

Affected Products

extremenetworks

xiq-se

≤ 24.2.11

References

https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-105-xiq-se-unauthorized-access-to-user-credentials-cve/ba-p/116363
Vendor Advisory · cve@mitre.org