PT-2022-16669 · Fidelis · Fidelis Network/Deception

Published

2022-05-17

Updated

2022-05-26

CVE-2022-24394

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Fidelis Network and Deception versions prior to 9.4.5

Description The issue allows authenticated command injection through the web interface using the filename parameter with the value "update checkfile". This could enable a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session.

Recommendations For versions prior to 9.4.5, update to version 9.4.5 or later to address this issue. As a temporary workaround, consider restricting access to the web interface or limiting the use of the filename parameter to minimize the risk of exploitation.

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

CVE-2022-24394

Affected Products

Fidelis Network/Deception

PT-2022-16669 · Fidelis · Fidelis Network/Deception

CVE-2022-24394

Weakness Enumeration

Related Identifiers

Affected Products

References · 5