CVE-2024-51321
Published: 11 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2024-51321 affects Zucchetti Ad Hoc Infinity 2.4 and stems from an improper check on the m_cURL parameter. This vulnerability, classified as CWE-601 (URL Redirection to Untrusted Site), enables an attacker to redirect a victim to an attacker-controlled website following authentication. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts.
The attack requires network access, low complexity, low privileges (such as an authenticated account), and user interaction from the victim. An attacker with low privileges can manipulate the m_cURL parameter to trick an authenticated user into being redirected to a malicious site after login, potentially enabling phishing, credential theft, or further exploitation, with low confidentiality impact but high effects on integrity and availability.
Mitigation details are available in the advisory published by BackBox at https://members.backbox.org/zucchetti-ad-hoc-infinity-multiple-vulnerabilities/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The open redirect vulnerability (CWE-601) directly enables crafting of URLs that redirect authenticated users to attacker-controlled sites, facilitating spearphishing via malicious links (T1566.002) and user execution upon clicking such links (T1204.001) for phishing or credential theft.