CVE-2024-9441

Name of the Vulnerable Software and Affected Versions Linear eMerge e3-Series versions 1.00-07

Description The Linear eMerge e3-Series is vulnerable to an OS command injection issue. A remote and unauthenticated attacker can execute arbitrary OS commands via the login id parameter when invoking the forgot password functionality over HTTP. The vulnerability is actively exploited in the wild.

Recommendations For Linear eMerge e3-Series versions 1.00-07, as a temporary workaround, consider disabling the forgot password functionality until a patch is available. Restrict access to the login id parameter in the affected HTTP endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.