CVE-2024-0949

Name of the Vulnerable Software and Affected Versions Elektraweb versions prior to 17.0.68

Description The issue is related to improper access control, missing authorization, and incorrect permission assignment for critical resources. It allows for exploiting incorrectly configured access control security levels, manipulating web input to file system calls, embedding scripts within scripts, and other malicious activities. This can lead to modification of Windows service configuration, malicious root certificate installation, intent spoof, WebView exposure, and incomplete data deletion in a multi-tenant environment.

Recommendations For versions prior to 17.0.68, update to version 17.0.68 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources and disabling unnecessary services until the update is applied. Additionally, restrict access to the Elektraweb configuration to minimize the risk of exploitation.