CVE-2024-53357
Published: 31 January 2025
Description
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Security Summary
CVE-2024-53357 involves multiple SQL injection vulnerabilities affecting EasyVirt DCScope versions up to and including 8.6.0 and CO2Scope versions up to and including 1.3.0. These flaws exist in various API endpoints related to user, group, and role management, such as /api/user/addalias, /api/user/updatealiasroute, /api/user/delalias, /api/user/aliases, /api/user/adduserroute, /api/user/updateuser, /api/user/deluser, /api/user/usersroute, /api/user/addrole, /api/user/updaterole, /api/user/delrole, and /api/user/roles. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-798.
Remote authenticated attackers with low privileges can exploit these SQL injection vulnerabilities to perform unauthorized administrative actions. This includes adding an admin user, modifying users, deleting users, retrieving user lists, adding a root group, modifying groups, deleting groups, retrieving groups, adding an admin role, modifying roles, deleting roles, and retrieving roles. Such actions enable privilege escalation and full control over user management within the affected applications.
The primary advisory reference is available at https://github.com/Elymaro/CVE/blob/main/EasyVirt/CVE-2024-53357.md, which provides further details on the vulnerability. No specific patch or mitigation information is detailed in the available data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection allows low-privileged remote authenticated attackers to enumerate (T1087.001, T1069.001), create (T1136.001), manipulate (T1098), and delete (T1531) users/groups/roles, enabling privilege escalation (T1068).