CVE-2024-41108

Name of the Vulnerable Software and Affected Versions FOG versions prior to 1.5.10.41

Description The hostinfo page in FOG has missing or improper access control, allowing configuration information to be obtained using only the host's mac address, but only if a task is pending on that host. Otherwise, an error message containing "Invalid tasking!" is returned. The domainpassword in the hostinfo dump is hidden from authenticated users.

Recommendations For versions prior to 1.5.10.41, update to version 1.5.10.41 to resolve the issue. As a temporary workaround, consider restricting access to the hostinfo page to minimize the risk of exploitation.