CVE-2024-38878

Name of the Vulnerable Software and Affected Versions Omnivise T3000 Application Server R9.2 (All versions) Omnivise T3000 R8.2 SP3 (All versions) Omnivise T3000 R8.2 SP4 (All versions)

Description The issue is related to incorrect restriction of a directory path with limited access. This could allow a remote attacker to upload arbitrary files. The vulnerability affects devices that allow authenticated users to export diagnostics data through a susceptible API endpoint, which could enable an authenticated attacker to download arbitrary files from the file system.

Recommendations For Omnivise T3000 Application Server R9.2, restrict access to the API endpoint related to diagnostics data export until a patch is available. For Omnivise T3000 R8.2 SP3, consider disabling the diagnostics data export feature to minimize the risk of exploitation. For Omnivise T3000 R8.2 SP4, avoid using the susceptible API endpoint for diagnostics data export until the issue is resolved.