CVE-2024-56973

CVE-2024-56973 is an Insecure Permissions vulnerability (CWE-281) affecting Alvaria, Inc's Unified IP Unified Director software in versions prior to 7.2SP2. The flaw resides in the ProcessUploadFromURL.jsp component, where inadequate permission controls on the source and filename parameters enable a remote attacker to execute arbitrary code. This issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

A remote attacker requires no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. By crafting requests to the vulnerable ProcessUploadFromURL.jsp endpoint using the source and filename parameters, the attacker can upload and execute malicious code on the target system, potentially leading to full server compromise, data theft, or further lateral movement within the environment.

Mitigation involves upgrading to Unified IP Unified Director version 7.2SP2 or later, as earlier versions are explicitly vulnerable. Additional details, including potential proof-of-concept information, are available in the referenced advisories at https://gist.github.com/VAMorales/1092a29ac7d0b4b80d5c853b9a22a65d.