CVE-2024-54767
Published: 06 January 2025
Description
An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication. NOTE: this is disputed by the Supplier because it cannot be reproduced, and the issue report focuses on an unintended configuration with direct Internet exposure.
Security Summary
CVE-2024-54767 is an access control vulnerability in the /juis_boxinfo.xml component of AVM FRITZ!Box 7530 AX version 7.59. Published on January 6, 2025, it enables attackers to obtain sensitive information without authentication and is associated with CWE-203 (Observable Discrepancy). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.
Unauthenticated attackers with network access can exploit the vulnerability remotely with low attack complexity and no user interaction required. Exploitation allows retrieval of sensitive information exposed through the affected component.
The vulnerability is disputed by the supplier, AVM, who reports it cannot be reproduced, noting that the issue stems from an unintended configuration involving direct Internet exposure of the device. No patches or specific mitigations are detailed in available references, which include GitHub issue reports at https://github.com/Shuanunio/CVE_Requests/blob/main/AVM/fritz/AVM_FRITZ%21Box_7530%20AX_unauthorized_access_vulnerability_first.md and https://github.com/Shuanunio/CVE_Requests/issues/1.
Details
- CWE(s)