CVE-2024-6298

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: ABB ASPECT Enterprise versions through 3.08.01 ABB NEXUS Series versions through 3.08.01 ABB MATRIX Series versions through 3.08.01

Description: An improper input validation vulnerability exists in the uploadFile() function within the bigUpload.php script of ABB ASPECT Enterprise, NEXUS Series, and MATRIX Series embedded network building management controllers. This vulnerability allows for directory traversal due to insufficient input validation, potentially leading to remote code inclusion. Successful exploitation could allow a remote attacker to gain unauthorized access to the device, write arbitrary files, and execute arbitrary code.

Recommendations: ABB ASPECT Enterprise versions prior to 3.08.01 ABB NEXUS Series versions prior to 3.08.01 ABB MATRIX Series versions prior to 3.08.01

Exploit

Fix

Path traversal

Relative Path Traversal

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1287CWE-22CWE-23CWE-20

Related Identifiers

BDU:2024-07895

CVE-2024-6298

Affected Products

Aspect-Enterprise

Matrix Series

Nexus Series

CVE-2024-6298

Weakness Enumeration

Related Identifiers

Affected Products

References · 23